3 matches found
CVE-2026-52842
Lightpanda (headless browser) prior to version 0.3.1 incorrectly searched for the character @ across the entire URL when computing origin, rather than only the authority component. This caused a URL like http://attacker.com/@victim.com/ to be fetched from attacker.com but treated as http://victim...
CVE-2025-23086
On most desktop platforms, Brave Browser versions 1.70.x-1.73.x included a feature to show a site's origin on the OS-provided file selector dialog when a site prompts the user to upload or download a file. However the origin was not correctly inferred in some cases. When combined with an open...
SUSE CVE-2007-5947
The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote attackers to conduct cross-site scripting XSS...