Weblate vulnerable to XSS via crafted Markdown

Impact The Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. Patches https://github.com/WeblateOrg/weblate/pull/19259 Workarounds Even though the attacker might be able to inject code into the HTML, the Weblate's strict CSP should...

GHSA-VJ45-X3PJ-F4W4 Weblate: Improper access control for pending tasks in API

Impact The API for tasks didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. Patches https://github.com/WeblateOrg/weblate/pull/18515 Workarounds The attacker needs to guess the random UUID of the task, so...

EUVD-2023-45652

Malicious code in bioql PyPI...

Malicious code in @michaljaz/backdoor (npm)

The package @michaljaz/backdoor was found to contain malicious code...

CVE-2025-48145

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Michal Jaworski Track, Analyze & Optimize by WP Tao wp-tao allows Reflected XSS.This issue affects Track, Analyze & Optimize by WP Tao: from n/a through = 1.3...

CVE-2025-48145 WordPress Track, Analyze & Optimize by WP Tao plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Michal Jaworski Track, Analyze & Optimize by WP Tao wp-tao allows Reflected XSS.This issue affects Track, Analyze & Optimize by WP Tao: from n/a through = 1.3...

CVE-2023-41133

Authentication Bypass by Spoofing vulnerability in Michal Novák Secure Admin IP allows Functionality Bypass.This issue affects Secure Admin IP: from n/a through 2.0...

CVE-2023-41133

Authentication Bypass by Spoofing vulnerability in Michal Novák Secure Admin IP allows Functionality Bypass.This issue affects Secure Admin IP: from n/a through 2.0...

CVE-2023-41133 WordPress Secure Admin IP plugin <= 2.0 - IP Spoofing vulnerability

Authentication Bypass by Spoofing vulnerability in Minor Secure Admin IP secure-admin-ip allows Functionality Bypass.This issue affects Secure Admin IP: from n/a through = 2.0...

CVE-2023-41133 WordPress Secure Admin IP plugin <= 2.0 - IP Spoofing vulnerability

Authentication Bypass by Spoofing vulnerability in Michal Novák Secure Admin IP allows Functionality Bypass.This issue affects Secure Admin IP: from n/a through 2.0...

CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection

Affected packages The vulnerability has been discovered in the core HTML parsing module and may affect all editor instances that: Enabled full-page editing mode, or enabled CDATA elements in Advanced Content Filtering configuration defaults to script and style elements. Impact A potential...

Ubuntu: Security Advisory (USN-2489-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

virt:kvm_utils security update

libvirt 5.7.0-34.el8 - qemu: blockcopy: Allow late opening of the backing chain of a shallow copy Peter Krempa Orabug: 33091019 - qemu: capabilities: Introduce QEMUCAPSBLOCKDEVSNAPSHOTALLOWWRITEONLY Peter Krempa Orabug: 33091019 - qemuDomainBlockCopyCommon: Record updated flags to block job Peter...

virt:kvm_utils security update

hivex 1.3.18-21 - Bounds check for block exceeding page length CVE-2021-3504 resolves: rhbz1950501 libguestfs 1.40.2-28.0.1 - Replace upstream references from description tag - Config supermin to use host yum.conf in ol8 Orabug: 29319324 - Set DISTROORACLELINUX correspeonding to ol 1:1.40.2-28 -...

WordPress Login with phone number plugin <= 1.3.6 - Unauthenticated Remote Plugin Deletion vulnerability

Unauthenticated Remote Plugin Deletion vulnerability discovered by Michal Lipinski in WordPress Login with phone number plugin versions = 1.3.6. Solution Update the WordPress Login with phone number plugin to the latest available version at least 1.3.7...

GHSA-8J9V-H2VP-2HHV XSS in HtmlSanitizer

Impact If you have explicitly allowed the tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the tag so there is no risk if you have not explicitly allowed the tag. Patches The problem has been fixed in version 5.0.372...

michal-pawelczyk.net Cross Site Scripting vulnerability OBB-1315239

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...

michal-kenis.trade.cz Cross Site Scripting vulnerability

Security Researcher Hchabik Helped patch 2348 vulnerabilities Received 5 Coordinated Disclosure badges Received 2 recommendations , a holder of 5 badges for responsible and coordinated disclosure, found a security vulnerability affecting michal-kenis.trade.cz website and its users. Following...

chromium -- Incorrect handling of CSP header

Google Chrome Releases reports: 1 security fix contributed by external researchers: 845961 High CVE-2018-6148: Incorrect handling of CSP header. Reported by Michal Bentkowski on 2018-05-23...

Debian DSA-4165-1 : ldap-account-manager - security update

Michal Kedzior found two vulnerabilities in LDAP Account Manager, a web front-end for LDAP directories. - CVE-2018-8763 The found Reflected Cross Site Scripting XSS vulnerability might allow an attacker to execute JavaScript code in the browser of the victim or to redirect her to a malicious...