6686 matches found
CVE-2022-24718
ssr-pages is an HTML page builder for the purpose of server-side rendering SSR. In versions prior to 0.1.4, a path traversal issue can occur when providing untrusted input to the svg property as an argument to the buildMessagePageOptions function. While there is no known workaround at this time,...
CVE-2022-31127
NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.:...
CVE-2022-31176
Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser Chromium/Chrome. An internal security review identified an unauthorized file disclosure vulnerability. It is possible for a malicious user to retrieve unauthorized fil...
CVE-2020-15092
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Mos...
CVE-2024-23345
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that suppo...
BIT-SUPERSET-2022-43717 Apache Superset: Cross-Site Scripting on dashboards
Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...
CVE-2024-53615
A command injection vulnerability in the video thumbnail rendering component of Karl Ward's files.gallery v0.3.0 through 0.11.0 allows remote attackers to execute arbitrary code via a crafted video file...
CVE-2024-53615
A command injection vulnerability in the video thumbnail rendering component of Karl Ward's files.gallery v0.3.0 through 0.11.0 allows remote attackers to execute arbitrary code via a crafted video file...
DOJO 访问控制错误漏洞
DOJO is an open source JavaScript toolkit from pwn.college. DOJO suffers from an Access Control Error vulnerability that stems from a lack of access control when rendering a customized DOJO page, resulting in a user being able to create a stored cross-site scripting XSS vulnerability...
CVE-2024-53615
A command injection vulnerability in the video thumbnail rendering component of Karl Ward's files.gallery v0.3.0 through 0.11.0 allows remote attackers to execute arbitrary code via a crafted video file...
PT-2025-4863 · Unknown · Exif Viewer Classic
Name of the Vulnerable Software and Affected Versions: EXIF Viewer Classic versions 2.3.2 through 2.4.0 Description: The issue is caused by improper handling of EXIF meta data, leading to a cross-site scripting vulnerability. When an image is rendered and crafted EXIF meta data is processed, an...
Cross-Site Scripting (XSS)
KateX is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient sanitization of input. When users render untrusted mathematical expressions using renderToString, malicious input containing \htmlData can bypass validation, allowing for the execution of arbitrary JavaScrip...
CVE-2025-0314
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting...
UBUNTU-CVE-2025-0314
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting...
CVE-2025-0314 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting...
GitLab 跨站脚本漏洞
GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery, and other features. A cross-site scripting vulnerability exists in GitLab CE/EE, which stems from...
[SECURITY] Fedora 41 Update: webkit2gtk4.0-2.46.5-1.fc41
WebKitGTK is the port of the WebKit web rendering engine to the GTK platform. This package contains WebKitGTK for GTK 3 and libsoup 2...
LunaSVG 安全漏洞
LunaSVG is a standalone SVG rendering library in C by the individual developer Samuel Ugochukwu. A security vulnerability exists in LunaSVG version v3.0.0, which stems from a discovery of a containment segmentation violation via the component plutovgblend...
LunaSVG 安全漏洞
LunaSVG is a standalone C SVG rendering library. A security vulnerability exists in LunaSVG, which stems from the inclusion of a segmentation violation found via the component compositionsourceover. No detailed vulnerability details are provided at this time...
GHSA-QWJ6-Q94F-8425 MathLive's Lack of Escaping of HTML allows for XSS
Summary Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the \htmlData command, and the lack of escaping leads to XSS. Details Overall in the code, other than in the test folder, no functions escaping...