EUVD-2026-33304

WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders categorydescription as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes whe...

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to version 29 contain security vulnerabilities. These vulnerabilities stem from storing user-input category descriptions as raw HTML during Gallery view rendering. This allows...

CVE-2026-45249 Apache ECharts: XSS in Lines series tooltip rendering

A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...

md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)

Summary A cross-site scripting XSS vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution ...

NPM: md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)

NPM: md-fileserver: Stored/Reflected XSS when viewing Markdown raw HTML allowed vulnerability discovered by ? in WordPress Npm md-fileserver versions 1.10.3...

Concrete CMS 跨站脚本漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS 9.5.0 and earlier had a cross-site scripting vulnerability. This vulnerability occurred due to the OAuth integration name being rendered using the t translation assistant. As a result, the...

CVE-2026-34246

CtrlPanel CVE-2026-34246 affects versions 1.1.1 and earlier. The vulnerability is a Stored XSS in the admin role management interface where datatable() inserts $role->name and $role->color directly into HTML and a .rawColumns(['actions','name']) setting disables automatic escaping. An admin...

CVE-2026-41421

SiYuan desktop prior to version 3.6.5 is vulnerable to local code execution via desktop notifications. The backend forwards user-controlled msg through /api/notification/pushMsg and the frontend injects it into the DOM with insertAdjacentHTML, within an Electron renderer that is configured with n...

SiYuan 操作系统命令注入漏洞

SiYuan is an open-source personal knowledge management system developed by SiYuan. Versions of SiYuan prior to 3.6.5 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the fact that notification messages were rendered in raw HTML format, which...

CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization

Summary The Pages module does not apply the htmlpurify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo-content. An authenticated...

CVE-2026-39392

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the htmlpurify validation rule to content fields during create and update operations, while the Blog...

CVE-2026-34716

WWBN AVideo (versions 26.0 and earlier) is affected by a DOM XSS in the YPTSocket plugin. The attacker-controlled display name is passed to the jQuery Toast Plugin as the heading, which is assembled as raw HTML and injected via .html(), allowing the display name to include scripts. This enables c...

PT-2026-29423

Summary An unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 quoted local part yet contains raw HTML — for example "alert1"@evil.com. PHP's FILTER VALIDATE EMAIL accepts this email as valid. The email is stored in the database without...

GHSA-5VP3-3CG6-2RQ3 JustHTML is vulnerable to XSS via code fence breakout in <pre> content

Summary tomarkdown is vulnerable when serializing attacker-controlled content. The handler emits a fixed three-backtick fenced code block, but writes decoded text content into that fence without choosing a delimiter longer than any backtick run inside the content. An attacker can place backticks...

Cross-site Scripting (XSS)

Overview justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the tomarkdown function when serializing attacker-controlled content. An attacker can execute arbitrary HTML or scripts by crafting input containing...

GHSA-72H5-39R7-R26J AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization

Summary The fix for CVE-2026-27568 GHSA-rcqw-6466-3mv7 introduced a custom ParsedownSafeWithLinks class that sanitizes raw HTML and tags in comments, but explicitly disables Parsedown's safeMode. This creates a bypass: markdown link syntax text is processed by Parsedown's inlineLink method, which...

CVE-2026-32722

Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated...

GHSA-3RCM-VJRC-P45J JustHTML has a Sanitizer Bypass (in Markdown)

Summary tomarkdown does not sufficiently escape text content that looks like HTML. As a result, untrusted input that is safe in tohtml can become raw HTML in Markdown output. This is not specific to tokenizer raw-text states like , , or , although those states can trigger the behavior. The root...

JustHTML has a Sanitizer Bypass (in Markdown)

Summary tomarkdown does not sufficiently escape text content that looks like HTML. As a result, untrusted input that is safe in tohtml can become raw HTML in Markdown output. This is not specific to tokenizer raw-text states like , , or , although those states can trigger the behavior. The root...

Craft CMS Vulnerable to Stored XSS in Revision Context Menu

The revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw combined with Craft::t string interpolation. A low-privileged control panel user e.g., Author can set their fullName to an XSS payload via the profile editor, then crea...