CVE-2025-66500 Foxit webplugins.foxit.com Stored Cross-Site Scripting via postMessage Vulnerability

A stored cross-site scripting XSS vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received...

Cross-site Request Forgery (CSRF)

Apollo Studio Embeddable Explorer & Embeddable Sandbox are vulnerable to cross-site request forgery CSRF. The vulnerability is due to missing origin validation in the client-side handling of window.postMessage events, which allows an attacker to send forged messages that trigger arbitrary GraphQL...

EUVD-2023-44231

Malicious code in bioql PyPI...

CVE-2024-47084

Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to CORS origin validation, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio...

Oxwall Cross-Site Request Forgery Vulnerability

Oxwall is a fully functional SNS social networking system developed using PHP+MySQL. Oxwall has a cross-site request forgery vulnerability. The "/admin/pages/maintenance" script fails to properly validate the origin of HTTP requests. Allowing an attacker to steal cookies from other users, spread...