Lucene search
+L

34 matches found

cvelist
cvelist
added 2026/07/08 4:9 p.m.34 views

CVE-2026-59895 Hono: Server-Side XSS via JSX Escaping Bypass in cx() Utility

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class...

6.1CVSS0.00187EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/07/08 12:0 a.m.8 views

PT-2026-56505

Name of the Vulnerable Software and Affected Versions Hono versions 4.0.0 through 4.12.26 Description The cx function in hono/css composes class names from plain strings but marks the result as already escaped without performing HTML-escaping on the input. This allows untrusted className values...

6.1CVSS6.2AI score0.00187EPSS
Exploits0References9
osv
osv
added 2026/06/24 11:7 a.m.7 views

BIT-NIFI-2026-44913 Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not...

7.2CVSS5.9AI score0.00385EPSS
Exploits0References3
osv
osv
added 2026/06/22 5:31 p.m.3 views

CVE-2026-50146 Astro: Reflected XSS via unescaped slot name

Astro is a web framework. Prior to 6.3.3, when a component uses a client: directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflect...

7.1CVSS6.1AI score0.00177EPSS
Exploits1References3
nvd
nvd
added 2026/06/22 8:17 a.m.15 views

CVE-2026-44913

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not...

7.2CVSS0.00385EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/22 7:36 a.m.8 views

CVE-2026-44913

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not...

5.2CVSS5.9AI score0.00385EPSS
Exploits0References2Affected Software1
snyk
snyk
added 2026/06/16 2:5 p.m.11 views

Cross-site Scripting (XSS)

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the data-astro-template attribute when a component uses a client: directive and the slot name is not...

7.1CVSS5.8AI score0.00177EPSS
Exploits1References3
github
github
added 2026/06/04 2:24 p.m.87 views

Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection

Summary Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause...

7.5CVSS6AI score0.00622EPSS
Exploits1References4Affected Software1
redhat
redhat
added 2026/05/26 5:9 a.m.14 views

dnsmasq: dnsmasq: heap buffer overflow in cache via NAME_ESCAPE expansion

A heap buffer overflow was discovered in dnsmasq's DNS cache. When processing DNS responses, dnsmasq expands certain characters into longer escape sequences, but the cache buffer is not sized to hold the expanded result. A specially crafted DNS response can overflow this buffer, potentially...

7.3CVSS6AI score0.00754EPSS
Exploits1References4
cnnvd
cnnvd
added 2026/05/05 12:0 a.m.13 views

Traccar 安全漏洞

Traccar is a Java-based website building system provided by the American company Traccar. This software supports over 170 GPS protocols and over 1500 types of GPS tracking devices. Traccar can be used alongside any major SQL database systems. It also offers a user-friendly REST API. There were...

5.4CVSS5.8AI score0.00183EPSS
Exploits1References2
cnnvd
cnnvd
added 2026/03/23 12:0 a.m.9 views

Mantis Bug Tracker 跨站脚本漏洞

Mantis Bug Tracker MantisBT is an open-source bug tracker developed by Mantis Bug Tracker. Version 2.28.0 of Mantis Bug Tracker contains a cross-site scripting vulnerability. This vulnerability arises from improper name escaping when deleting tags, which may lead to cross-site scripting attacks...

8.6CVSS5.6AI score0.00243EPSS
Exploits0References3
cnnvd
cnnvd
added 2026/02/24 12:0 a.m.9 views

NiceGUI 跨站脚本漏洞

NiceGUI is an easy-to-use, Python-based UI framework developed under the open source license. Versions of NiceGUI prior to 3.8.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of eval in multiple client APIs, and incorrect escaping of method names, which...

6.1CVSS6AI score0.00163EPSS
Exploits0References2
nessus
nessus
added 2026/01/14 12:0 a.m.6 views

MiracleLinux 4 : bind-dyndb-ldap-1.1.0-0.9.b1.0.2.AXS4 (AXSA:2012-800:03)

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2012-800:03 advisory. This package provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP serve...

4.3CVSS6.6AI score0.02325EPSS
Exploits0References2
veracode
veracode
added 2025/10/28 4:42 p.m.8 views

Cross-site Scripting (XSS)

io.vertx:vertx-web is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper escaping of file and directory names in generated HTML when directory listing is enabled, which allows an attacker to craft malicious filenames that execute arbitrary scripts in the browser of users...

6.4CVSS6.6AI score0.00265EPSS
Exploits1References4Affected Software1
euvd
euvd
added 2025/10/03 8:7 p.m.5 views

EUVD-2022-3686

Malicious code in bioql PyPI...

5.4CVSS5.6AI score0.00735EPSS
Exploits0References4
cnnvd
cnnvd
added 2025/08/22 12:0 a.m.4 views

Apache Log4cxx 安全漏洞

Apache Log4cxx is the United States Apache Apache Foundation of a C + + logging framework patterned on Apache log4j . A cross-site scripting vulnerability exists in Apache Log4cxx versions prior to 1.5.0, which stems from HTMLLayout not properly escaping logger names, and can be exploited by an...

5.4CVSS6.2AI score0.01084EPSS
Exploits0References5
cnnvd
cnnvd
added 2024/05/03 12:0 a.m.14 views

WordPress 跨站脚本漏洞

WordPress is a suite of blogging platforms developed in the PHP language by the WordPress Foundation. The platform supports personal blog sites on servers running PHP and MySQL. A cross-site scripting vulnerability exists in WordPress Core 6.5.2 and earlier versions, which stems from insufficient...

7.2CVSS6.2AI score0.70822EPSS
Exploits4References7
ptsecurity
ptsecurity
added 2024/03/06 12:0 a.m.7 views

PT-2024-22302 · Jenkins · Jenkins Build Monitor View Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Build Monitor View Plugin versions 1.14-860.vd06ef2568b 3f and earlier Description: The issue results from the failure to escape Build Monitor View names, leading to a stored cross-site scripting XSS vulnerability. This vulnerability...

5.4CVSS5.2AI score0.80173EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2023/07/17 12:0 a.m.11 views

PT-2023-16270 · WordPress · Nex-Forms

Name of the Vulnerable Software and Affected Versions: NEX-Forms WordPress plugin versions prior to 8.4.4 Description: The issue is related to Stored Cross-Site Scripting, which could be caused by the lack of proper escaping of the form name. This could potentially be exploited by users with acce...

5.4CVSS6AI score0.00367EPSS
Exploits1References3
osv
osv
added 2023/06/09 6:15 a.m.5 views

CVE-2023-1404

The Weaver Show Posts Plugin for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 1.6. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitra...

5.4CVSS7.4AI score0.00508EPSS
Exploits2References2
Rows per page
Query Builder