Lucene search
K

11 matches found

NVD
NVD
added 15 hours ago7 views

CVE-2026-44767

setThemeRoot failed to enforce the sap-allowed-theme-origins allowlist. An attacker-controlled absolute cross-origin URL could be stored and used directly to construct a element, even when no tag was present in the document. The same bypass was reachable via the ?sap-themeRoot URL...

6.1CVSS
Exploits0References2
Cvelist
Cvelist
added 16 hours ago9 views

CVE-2026-44767 Allowlist Bypass in setThemeRoot() Enables Cross-Origin CSS Injection

setThemeRoot failed to enforce the sap-allowed-theme-origins allowlist. An attacker-controlled absolute cross-origin URL could be stored and used directly to construct a element, even when no tag was present in the document. The same bypass was reachable via the ?sap-themeRoot URL...

6.1CVSS
Exploits0References2
EUVD
EUVD
added 16 hours ago6 views

EUVD-2026-43597

setThemeRoot failed to enforce the sap-allowed-theme-origins allowlist. An attacker-controlled absolute cross-origin URL could be stored and used directly to construct a element, even when no tag was present in the document. The same bypass was reachable via the ?sap-themeRoot URL...

6.1CVSS6.2AI score
Exploits0References2
Cvelist
Cvelist
added 2026/06/26 7:30 p.m.25 views

CVE-2026-44696 OpenProject: Stored CSS injection via Sanitize::Config::RELAXED[:css] enables phishing overlays and data exfiltration

OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text markdown rendering pipeline uses Sanitize::Config::RELAXED:css for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML...

5.7CVSS0.00211EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 7:30 p.m.13 views

CVE-2026-44696

OpenProject prior to 17.4.0: the rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css], permitting essentially all CSS in style attributes on elements like figure, img, table, th, tr, td. This enables any authenticated user with write access to formattable fields (work pack...

5.7CVSS5.8AI score0.00211EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/18 2:49 p.m.2 views

Cross-site Scripting (XSS)

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the style function. An attacker can inject arbitrary CSS into the rendered attribute by supplying specially craft...

4.8CVSS5.8AI score0.00187EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/09 12:0 a.m.14 views

PT-2026-39328

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.18 Description The JSX renderer escapes style attribute object values for HTML but not for CSS. When untrusted input is interpolated into a JSX style object and rendered server-side, characters that act as CSS...

4.3CVSS5.8AI score0.00197EPSS
Exploits0References170
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.17 views

PT-2026-37310

Name of the Vulnerable Software and Affected Versions YetAnotherForum.NET YAF.NET versions prior to 4.0.5 YetAnotherForum.NET YAF.NET versions prior to 3.2.12 Description The thread posting and reply feature allows user-supplied content to be stored server-side and rendered on the thread page...

7.3CVSS5.9AI score0.00199EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/06 5:20 p.m.8 views

EUVD-2026-19390

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean sanitizer explicitly whitelists the tag, causing the backend to...

5.4CVSS6.1AI score0.00173EPSS
Exploits1References2
Malwarebytes
Malwarebytes
added 2025/10/02 1:9 p.m.9 views

Scam Facebook groups send malicious Android malware to seniors

An infostealer and banking Trojan rolled into one is making the rounds in Facebook groups aimed at "active seniors". Attackers used social engineering methods to lure targets into joining fake Facebook groups that appeared to promote travel and community activities—such as trips, dance classes, a...

7.1AI score
Exploits0
The Hacker News
The Hacker News
added 2025/02/03 11:39 a.m.26 views

Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions

Brazilian Windows users are the target of a campaign that delivers a banking malware known as Coyote. "Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials,...

7.6AI score
Exploits0
Rows per page
Query Builder