CVE-2026-41239

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, SAFEFORTEMPLATES strips ... expressions from untrusted HTML. This works in string mode but not with RETURNDOM or RETURNDOMFRAGMENT, allowing XSS via...

CVE-2026-30829

Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url...

CVE-2025-53370

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page...

CVE-2025-53368

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privileges can insert...

CVE-2025-53370

CVE-2025-53370 concerns the Citizen MediaWiki skin. Versions 1.9.4 up to 3.3.9 expose a stored XSS via the ShortDescription extension: the shortdesc is inserted into the DOM as raw HTML, enabling arbitrary HTML/JS execution by page edits. A patch exists in version 3.4.0. Public references and adv...

WordPress EventPrime Plugin <= 3.3.9 is vulnerable to Cross Site Scripting (XSS)

Software EventPrime Type Plugin Vulnerable versions = 3.3.9 Fixed in 3.4.0 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-29776 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 775222193de6 Credits Mochamad Sofyan Required privilege...