20 matches found
CVE-2026-27512
Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55multi contains a content-type confusion vulnerability in the administrative interface. Responses omit the X-Content-Type-Options: nosniff header and include attacker-influenced content that can be reflected into the response body. Under...
CVE-2026-27512 Tenda F3 Reflected Script Execution via Missing nosniff Header
Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55multi contains a content-type confusion vulnerability in the administrative interface. Responses omit the X-Content-Type-Options: nosniff header and include attacker-influenced content that can be reflected into the response body. Under...
CVE-2026-1466
Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image except for...
CVE-2026-1466
Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image except for...
CVE-2026-1466 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Jirafeau
Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image except for...
CVE-2026-1466
CVE-2026-1466 concerns Jirafeau, where the MIME-type based preview guard (image/* except image/svg+xml, plus video/audio) could be bypassed by sending a crafted request with an invalid MIME type (e.g., image). During preview, browsers may sniff the MIME type and detect SVG, potentially executing ...
CVE-2026-1466
Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image except for...
EUVD-2026-4867
Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image except for...
PT-2026-5062
CVE-2026-1466 Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. Th… https://t.co/rSEVfvxJRR...
CVE-2026-24439
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable...
CVE-2026-24439
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable...
CVE-2026-23625
OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work...
CVE-2026-23625 OpenProject has stored XSS regression using attachments and script-src self
OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work...
EUVD-2026-3309
OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work...
CVE-2026-23625
OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work...
PT-2026-3464
Name of the Vulnerable Software and Affected Versions OpenProject versions 16.3.0 through 16.6.4 Description OpenProject is a web-based project management software. A stored cross-site scripting issue exists in the Roadmap view. The issue occurs when a version contains work packages from a...
SUSE CVE-2014-7939
Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header...
FreeBSD : Jupyter notebook -- cross-site inclusion (XSSI) vulnerability (72a6e3be-483a-11e9-92d7-f1590402501e)
Jupyter notebook Changelog : 5.7.6 contains a security fix for a cross-site inclusion XSSI vulnerability, where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server. The fix involves setting the X-Content-Type-Options: nosniff...
chromium-browser: same-origin-bypass in V8
Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header...
UBUNTU-CVE-2014-7939
Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header...