CVE-2025-59052

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container the "platform injector" to hold request-specific state during server-side rendering. For historical reasons, the container was stored as ...

@cosla/sensemaking-web-ui (>=1.0.0 <=1.0.4) potentially affected by CVE-2025-59052 via @angular/ssr (=18.2.13)

@angular/ssr NPM version =18.2.13 is affected by a known vulnerability. The following packages have a transitive dependency on @angular/ssr and may be impacted: - @cosla/sensemaking-web-ui =1.0.0, =1.0.4 Source cves: CVE-2025-59052 Source advisory: SNYK:JS-ANGULARSSR-12613576...

Race Condition

Overview @nguniversal/common is an Angular Universal module that is common across server-side rendering app irrespective of the rendering engine Affected versions of this package are vulnerable to Race Condition between multiple concurrent requests in the global platform injector, when using the...

@manniwatch/client-desktop (>=0.30.0 <=0.30.1), @manniwatch/client-ng (>=0.30.0 <=0.30.1) +2 more potentially affected by CVE-2025-59052 via @angular/ssr (>=19.0.5 <=19.2.1)

@angular/ssr NPM version =19.0.5, =0.30.0, =0.30.0, =19.0.0-alpha.20, =19.0.0-alpha.20, =19.0.0-alpha.24 Source cves: CVE-2025-59052 Source advisory: SNYK:JS-ANGULARSSR-12613576...

Cross-site Scripting (XSS)

Overview indico is a conference lifecycle management and meeting/lecture scheduling tool. Affected versions of this package are vulnerable to Cross-site Scripting XSS when rendering LaTeX math code in contribution and abstract description sections. Details Cross-site scripting or XSS is a code...

CVE-2025-59052 Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container the "platform injector" to hold request-specific state during server-side rendering. For historical reasons, the container was stored as ...

CVE-2025-59052 Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container the "platform injector" to hold request-specific state during server-side rendering. For historical reasons, the container was stored as ...

CVE-2025-59052

CVE-2025-59052: Angular SSR race condition in the platform injector can cause cross-request data leaks due to a global injector state shared across concurrent SSR requests. Affected: Angular SSR/server rendering path using bootstrapApplication, getPlatform, or destroyPlatform. Patched in all acti...

CVE-2025-59035

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update to Indico 3.3.8 as...

CVE-2025-59035 Indico vulnerable to Cross-Site Scripting via LaTeX math code

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update to Indico 3.3.8 as...

Linux Distros Unpatched Vulnerability : CVE-2014-4467

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attacker...

Indico 跨站脚本漏洞

Indico is a feature-rich event management system from Indico Open Source. A cross-site scripting vulnerability exists in Indico versions prior to 3.3.8 that stems from a cross-site scripting vulnerability when rendering LaTeX math code...

PT-2025-37099

Name of the Vulnerable Software and Affected Versions: Angular versions 18.2.14 through 18.2.21 Angular versions 19.2.15 through 19.2.16 Angular versions 20.3.0 Angular versions 21.0.0-next.3 Description: Angular uses a DI container to hold request-specific state during server-side rendering. Due...

Linux Distros Unpatched Vulnerability : CVE-2024-2380

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Stored XSS in graph rendering in Checkmk 2.3.0b4. CVE-2024-2380 Note that Nessus relies on the presence of the package as reported by the vendor. %NASLMINLEVEL...

CVE-2025-58768 DeepChat's Mermaid rendering has XSS leading to RCE

DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using innerHTML to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain,...

CVE-2025-58768 DeepChat's Mermaid rendering has XSS leading to RCE

DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using innerHTML to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain,...

CVE-2025-58768

CVE-2025-58768 affects DeepChat prior to version 0.3.5, specifically in the Mermaid chart rendering component where user content is directly written via innerHTML. This creates an XSS vulnerability that can trigger an exploit chain, potentially allowing arbitrary JavaScript execution and arbitrar...

CVE-2025-58768 DeepChat's Mermaid rendering has XSS leading to RCE

DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using innerHTML to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain,...

PT-2025-36955

Name of the Vulnerable Software and Affected Versions: DeepChat versions prior to 0.3.5 Description: DeepChat, a smart assistant utilizing artificial intelligence, contains a flaw in the Mermaid chart rendering component. Directly using innerHTML to set user content allows for the execution of...

Cross-site Scripting (XSS)

librenms/librenms is vulnerable to stored cross-site scripting XSS. The vulnerability is due to malicious JavaScript being allowed in the Alert Template creation feature, which executes when the template is rendered...