CVE-2026-46367

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

Cross-site Scripting (XSS)

phpMyFAQ is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of malformed URLs in Utils::parseUrl, which allows an attacker to inject malicious JavaScript through comments and steal admin session cookies when affected pages are viewed...

phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

GHSA-W42G-JJ8W-FJ77 phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

CVE-2026-46367

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

CVE-2026-46367 phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

CVE-2021-25640

In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability...

CVE-2024-34343

Nuxt.js navigateTo is vulnerable to XSS due to faulty handling of the javascript: protocol. The issue stems from how Nuxt uses unjs/ufo for URL parsing: the sequence tests for a protocol, then parses with parseURL, but parsing javascript:alert(1) can return null/empty, and whitespace isn’t stripp...

Hostname Spoofing

parse-url is vulnerable to hostname spoofing. The vulnerability exists because the parseUrl function of index.js does not properly identify the custom user in ssh url and hostname, allowing an attacker to gain sensitive information by redirecting to the malicious urls...

Authorization Bypass

Parse-url is vulnerable to Authorization Bypass. The parseUrl function is unable to detect the correct host, leading to open redirect or server side request forgery causing information disclosure...

Server-side Request Forgery (SSRF)

parse-url is vulnerable to server-side request forgery SSRF attacks. Improper handling of user credentials allow remote attackers to bypass hostname checks and perform SSRF attacks via the vulnerable parseUrl function...

Apache Dubbo code issue vulnerability (CNVD-2022-53583)

Apache Dubbo is the United States Apache Apache Foundation of a lightweight Java-based RPC Remote Procedure Call framework. The product provides interface-based remote calling , fault tolerance and load balancing and automatic service registration and discovery. A security vulnerability exists in...

GHSA-GM48-83X4-84JG Server-side request forgery in Apache Dubbo

bypass CVE-2021-25640 In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability...

CVE-2022-24969

bypass CVE-2021-25640 In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability...

CVE-2022-24969

bypass CVE-2021-25640 In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability...

Server side request forgery (ssrf)

bypass CVE-2021-25640 In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability...

Apache Dubbo 代码问题漏洞

Apache Dubbo is the United States Apache Apache Foundation of a lightweight Java-based RPC Remote Procedure Call framework. The product provides interface-based remote calling , fault tolerance and load balancing and automatic service registration and discovery. A security vulnerability exists in...

CVE-2022-24969 bypass of CVE-2021-25640

bypass CVE-2021-25640 In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability...

CVE-2022-24969

Apache Dubbo prior to versions 2.6.12 and 2.7.15 has a vulnerability where the parseURL method bypasses the white host check. The issue can enable open redirection or server-side request forgery (SSRF) as described in CVE-2022-24969 and related advisories. Affected component: parseURL handling in...

GHSA-GW4J-4229-Q4PX Server-Side Request Forgery in Apache Dubbo

In Apache Dubbo prior to 2.6.9 and 2.7.10, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability...