Lucene search
K

127 matches found

Vulnrichment
Vulnrichment
added 2026/03/07 4:0 p.m.4 views

CVE-2026-30838 league/commonmark: DisallowedRawHtml extension bypass via whitespace in HTML tag names

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a...

5.1CVSS5.7AI score0.00217EPSS
Exploits0References1
CVE
CVE
added 2026/03/07 4:0 p.m.21 views

CVE-2026-30838

CVE-2026-30838 affects league/commonmark, a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting ASCII whitespace between a disallowed HTML tag name and the closing >, e.g., , enabling a cross-site scripting (XSS) vector for applications tha...

6.1CVSS5.7AI score0.00217EPSS
Exploits0References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/06 11:27 p.m.10 views

CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names

Impact The DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting X...

6.1CVSS5.6AI score0.00217EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/06 5:4 p.m.2 views

SUSE-SU-2026:0846-1 Security update for python-Markdown

This update for python-Markdown fixes the following issue: - CVE-2025-69534: incomplete markup declaration in raw HTML can crash applications that process untrusted Markdown bsc1259256...

8.2CVSS5.8AI score0.00566EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.5 views

PT-2026-23795

Name of the Vulnerable Software and Affected Versions league/commonmark versions prior to 2.8.1 Description The DisallowedRawHtml extension in league/commonmark can be bypassed by inserting ASCII whitespace characters between a disallowed HTML tag name and the closing ''. For example, would pass...

5.1CVSS5.7AI score0.00217EPSS
Exploits0References8
OSV
OSV
added 2026/03/05 7:26 p.m.5 views

GHSA-XRCR-GMF5-2R8J Gogs: Stored XSS via data URI in issue comments

Summary A Stored Cross-site Scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. Details The...

8.7CVSS6.3AI score0.00306EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/03/05 7:26 p.m.6 views

Gogs: Stored XSS via data URI in issue comments

Summary A Stored Cross-site Scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. Details The...

8.7CVSS6.3AI score0.00306EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/03/02 7:51 p.m.4 views

GHSA-QXWQ-Q265-HC44 NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

Summary An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. Details The TipTap editor sanitizes HTML client-side, but the backend stores raw HTML without server-side sanitization. The stored content...

5.3CVSS6AI score0.00147EPSS
Exploits0References4
CVE
CVE
added 2026/03/02 4:17 p.m.11 views

CVE-2026-28359

CVE-2026-28359 affects NocoDB prior to 0.301.3, where an authenticated user with Editor role could inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API, causing stored cross-site scripting. The issue is mitigated by patching in version 0.301.3...

5.4CVSS5.9AI score0.00147EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/02/12 9:16 a.m.2 views

UBUNTU-CVE-2025-41117

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo ...

6.8CVSS5.8AI score0.0026EPSS
Exploits0References3
OSV
OSV
added 2026/02/12 8:49 a.m.4 views

CVE-2025-41117 XSS in Grafana Explore stack trace

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo ...

6.8CVSS6.6AI score0.0026EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/12 8:49 a.m.7 views

CVE-2025-41117

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo ...

6.8CVSS5.5AI score0.0026EPSS
Exploits0References3Affected Software2
Vulnrichment
Vulnrichment
added 2026/02/12 8:49 a.m.6 views

CVE-2025-41117 XSS in Grafana Explore stack trace

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo ...

6.8CVSS5.5AI score0.0026EPSS
Exploits0References1
FreeBSD
FreeBSD
added 2026/02/12 12:0 a.m.10 views

Grafana -- XSS in Grafana Explore stack trace

https://grafana.com/security/security-advisories/cve-2025-41117 reports: Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasourc...

6.8CVSS5.8AI score0.0026EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/02/12 12:0 a.m.7 views

Grafana 安全漏洞

Grafana is a set of open-source monitoring tools developed by Grafana Open Source, which provide a visual monitoring interface. This tool is primarily used for monitoring and analyzing Graphite, InfluxDB, and Prometheus. Grafana has a security vulnerability, where stack traces in the Explore Trac...

6.8CVSS5.8AI score0.0026EPSS
Exploits0References2
NVD
NVD
added 2026/02/06 10:16 p.m.10 views

CVE-2026-25516

NiceGUI is a Python-based UI framework. The ui.markdown component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled conten...

6.1CVSS0.00241EPSS
Exploits1References2
EUVD
EUVD
added 2026/02/06 9:12 p.m.9 views

EUVD-2026-5566

NiceGUI is a Python-based UI framework. The ui.markdown component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled conten...

6.1CVSS5.5AI score0.00241EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/02/06 9:12 p.m.4 views

CVE-2026-25516

NiceGUI is a Python-based UI framework. The ui.markdown component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled conten...

6.1CVSS5.5AI score0.00241EPSS
Exploits1References3Affected Software1
CNNVD
CNNVD
added 2026/02/06 12:0 a.m.10 views

NiceGUI 跨站脚本漏洞

NiceGUI is an easy-to-use, Python-based UI framework developed under the open source license. Versions of NiceGUI prior to 3.7.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the ui.markdown component, which allowed raw HTML to be passed through by default,...

6.1CVSS5.6AI score0.00241EPSS
Exploits1References3
EUVD
EUVD
added 2026/02/03 6:5 p.m.5 views

EUVD-2026-5209

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script...

6.2CVSS5.5AI score0.003EPSS
Exploits1References4
Rows per page
Query Builder