ROOT-APP-NPM-CVE-2024-4367 CVE-2024-4367 in @rootio/pdfjs-dist - Patched by Root

Root has patched CVE-2024-4367 in the @rootio/pdfjs-dist package for Root:npm. Multiple fixed versions available...

Malicious code in pdfjs-dist-fourth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fcaf355459e8baaef860a557036e51431e6eb6c44dcba0e800579cf978f2f64d The package pdfjs-dist-fourth was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-1257 Malicious code in pdfjs-dist-fourth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fcaf355459e8baaef860a557036e51431e6eb6c44dcba0e800579cf978f2f64d The package pdfjs-dist-fourth was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-1216 Malicious code in pdfjs-dist-v5 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e5827ccd19d073818da31059d76a725b171d1fc793a4f2591ed0118a35b46c35 The package pdfjs-dist-v5 was found to contain malicious code. Source: ossf-package-analysis...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in pdfjs-dist-2.4.456.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in pdfjs-dist-2.4.456.tgz Vulnerability Details CVEID:CVE-2024-4367 DESCRIPTION: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js...

SUSE CVE-2025-47943

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting XSS vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated componen...

Cross-site Scripting (XSS)

github.com/gogs/gogs is vulnerable to Cross-site Scripting XSS. The vulnerability is due to the inclusion of an outdated version of pdfjs v1.4.20 that allows client-side JavaScript execution...

GHSA-XH32-CX6C-CP4V Gogs XSS allowed by stored call in PDF renderer

Summary A stored XSS is present in Gogs which allows client-side Javascript code execution. Details Gogs Version: docker images REPOSITORY TAG IMAGE ID CREATED SIZE gogs/gogs latest fe92583bc4fe 10 hours ago 99.3MB Application version: 0.14.0+dev Local setup using: bash Pull image from Docker Hub...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the pdfjs-1.4.20 component under public/plugins/. An attacker can execute arbitrary JavaScript code in the context of the user's browser by injecting malicious scripts into PDF files rendered by the...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the pdfjs-1.4.20 component under public/plugins/. An attacker can execute arbitrary JavaScript code in the context of the user's browser by injecting malicious scripts into PDF files rendered by the...

CVE-2025-47943

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting XSS vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated componen...

CVE-2025-47943 Gogs stored XSS in PDF renderer

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting XSS vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated componen...

CVE-2025-47943 Gogs stored XSS in PDF renderer

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting XSS vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated componen...

PT-2025-26689 · Pdf.Js +1 · Pdf.Js +1

Name of the Vulnerable Software and Affected Versions: Gogs versions 0.14.0+dev and prior Description: Gogs is an open source self-hosted Git service. The issue is a stored cross-site scripting XSS vulnerability, which allows client-side Javascript code execution. This is caused by the usage of a...

Gogs 安全漏洞

Gogs Go Git Service is a self-service Git hosting service based on Go language by the Gogs team, which supports creating and migrating public/private repositories, adding and deleting repository collaborators, and so on. A security vulnerability exists in Gogs 0.14.0+dev and earlier versions, whi...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in pdfjs-dist

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of pdfjs-dist Vulnerability Details CVEID:CVE-2024-4367 DESCRIPTION: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This...

Script execution via PDF as attachment - CVE-2021-39111

The attachment as PDF is a vulnerable PDFJS library. To confirm the vulnerability, we uploaded a PDF file containing a JavaScript. After opening a preview of the PDF file, the console displayed the message "Hello, xss is working," indicating that the JavaScript code had been successfully executed...

firefox: thunderbird: Cross-origin access to PDF contents through multipart responses

A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the issue as follows: An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This...

Gitlab -- Vulnerabilities

Gitlab reports: 1-click account takeover via XSS in the code editor in gitlab.com A DOS vulnerability in the 'description' field of the runner CSRF via K8s cluster-integration Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipelineid did not match Redos o...

SUSE CVE-2024-4367

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11...