CVE-2026-33664 Kestra Vulnerable to Stored Cross-Site Scripting via Flow YAML Fields

Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs.displayName, inputs.description — through the Markdown.vue component instantiated with html: true. The resulting HTML is injected...

EUVD-2026-16430

Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs.displayName, inputs.description — through the Markdown.vue component instantiated with html: true. The resulting HTML is injected...

CVE-2026-33664 Kestra Vulnerable to Stored Cross-Site Scripting via Flow YAML Fields

Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs.displayName, inputs.description — through the Markdown.vue component instantiated with html: true. The resulting HTML is injected...

CVE-2026-33664

Kestra 1.x (up to 1.3.3) is vulnerable to Stored Cross-Site Scripting in Markdown-based YAML flow metadata. The issue arises when user-supplied flow YAML fields—specifically description, inputs[].displayName, and inputs[].description—are rendered by Markdown.vue with html: true and then injected ...

EUVD-2026-16418

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with purify::clean before being included in...

CVE-2026-33742 Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with purify::clean before being included in...

CVE-2026-33742 Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with purify::clean before being included in...

CVE-2026-33738

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...

n8n Vulnerable to XSS via Binary Data Inline HTML Rendering

Impact An authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The /rest/binary-data endpoint served such responses inline on the n8n origin without Content-Disposition or Content-Security-Policy...

CVE-2026-33397

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in @angular/ssr due to an incomplete fix for CVE-2026-27738. Whil...

CVE-2026-31860

Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered...

CVE-2026-0602

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering...

CVE-2026-32754

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting XSS through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered...

CVE-2026-32121

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, Stored XSS in prescription CSS/HTML print view via patient demographics. That finding involves server-side rendering of patient names via raw PHP echo. This finding involves...

CVE-2026-32626

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS...

CVE-2026-32753

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of...

CVE-2026-33046

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaT...

CVE-2026-33397 Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in @angular/ssr due to an incomplete fix for CVE-2026-27738. Whil...

CVE-2026-33397

The CVE concerns Angular SSR bottleneck/open-redirect in @angular/ssr. Affected series: 22.x before 22.0.0-next.2, 21.x before 21.2.3, and 20.x before 20.3.21, with a patch included in 22.0.0-next.2, 21.2.3, and 20.3.21. Root cause: incomplete fix for CVE-2026-27738 where a single backslash in X-...

PT-2026-28521

Name of the Vulnerable Software and Affected Versions Invoice Ninja versions 5.13.0 through 5.13.3 Description Invoice Ninja, an invoice, quote, project, and time-tracking application built with Laravel, has an issue where the product notes fields in versions 5.13.0 through 5.13.3 allow raw HTML...