Rating by BestWebSoft < 0.2 - Cross-Site Scripting

The rating-bws plugin before 0.2 for WordPress has multiple XSS issues. id: CVE-2017-18530 info: name: Rating by BestWebSoft 0.2 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The rating-bws plugin before 0.2 for WordPress has multiple XSS issues. impact: |...

atril-1.28.4-1.1 on GA media (moderate)

atril-1.28.4-1.1 on GA media Announcement ID: openSUSE-SU-2026:10914-1 Rating: moderate Cross-References: CVE-2026-46519 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the atril-1.28.4-1.1...

ffmpeg-7-7.1.4-2.1 on GA media (moderate)

ffmpeg-7-7.1.4-2.1 on GA media Announcement ID: openSUSE-SU-2026:10867-1 Rating: moderate Cross-References: CVE-2024-35366 CVE-2025-10256 CVE-2025-1594 CVE-2025-9951 CVSS scores: CVE-2024-35366 SUSE : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2024-35366 SUSE : 6.9...

Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview

Summary The rating block's custom icon feature accepts arbitrary HTML/SVG via the customIcon.svg field and renders it using Solid's innerHTML directive without any sanitization. When a malicious typebot is imported or crafted by a workspace collaborator, the payload executes in the builder's DOM...

Cross-site Scripting (XSS)

Overview @typebot.io/js is a Javascript library to display typebots on your website Affected versions of this package are vulnerable to Cross-site Scripting XSS in the RatingButton component when unsanitized SVG or HTML is rendered via the innerHTML directive. An attacker can gain access to sessi...

GHSA-6M7C-XFHP-P9FH Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview

Summary The rating block's custom icon feature accepts arbitrary HTML/SVG via the customIcon.svg field and renders it using Solid's innerHTML directive without any sanitization. When a malicious typebot is imported or crafted by a workspace collaborator, the payload executes in the builder's DOM...

WordPress CBX 5 Star Rating & Review plugin <= 1.0.7 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Julian Chibuike Nwadinobi Wackydawg - streamio in WordPress Plugin CBX 5 Star Rating & Review versions = 1.0.7...

rsync-3.4.3-1.1 on GA media (moderate)

rsync-3.4.3-1.1 on GA media Announcement ID: openSUSE-SU-2026:10857-1 Rating: moderate Cross-References: CVE-2026-29518 CVE-2026-43617 CVE-2026-43618 CVE-2026-43619 CVE-2026-43620 CVE-2026-45232 CVSS scores: CVE-2026-29518 SUSE : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-29518 SUSE ...

Security update for gnutls (important)

openSUSE security update: security update for gnutls ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20778-1 Rating: important References: bsc1263704 bsc1263705 bsc1263706 bsc1263707 bsc1263708 bsc1263709 bsc1263710 bsc1263711 bsc1263712 bsc1263713...

CVE-2026-28445

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via Solid's innerHTML directive without any sanitization, even though DOMPurify is already a dependency and is used elsewhere ...

CVE-2026-28445

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via Solid's innerHTML directive without any sanitization, even though DOMPurify is already a dependency and is used elsewhere ...

CVE-2026-28445

CVE-2026-28445 affects Typebot up to version 3.15.2, where the RatingButton embed component renders user-controlled customIcon.svg via Solid innerHTML without sanitization, despite DOMPurify being present elsewhere. Because rating blocks aren’t flagged as unsafe by the import sanitizer and the bu...

CVE-2026-28445 Typebot: Stored XSS via Rating Block Custom Icon Bypasses isUnsafe Sandbox in Builder Preview

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via Solid's innerHTML directive without any sanitization, even though DOMPurify is already a dependency and is used elsewhere ...

CVE-2026-6864

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-6864 CBX 5 Star Rating & Review <= 1.0.7 - Reflected Cross-Site Scripting via 'page' Parameter

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

EUVD-2026-31409

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

EUVD-2026-31349

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/getrating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with...

PT-2026-42798

Name of the Vulnerable Software and Affected Versions Typebot versions prior to 3.16.0 Description The RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via Solid's innerHTML directive without sanitization. Because rating blocks are not flagged ...

Typebot 安全漏洞

Typebot is an open-source chat bot builder developed by Baptiste Arnaud. Versions of Typebot 3.15.2 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the RatingButton component in the embed package using Solid’sinnerHTML directive to render the customIcon.svg fiel...

WordPress plugin CBX 5 Star Rating & Review 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...