CVE-2026-23885

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...

CVE-2026-23885

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...

Eval Injection

Overview Affected versions of this package are vulnerable to Eval Injection via the resourceurlproxy function. An attacker can execute arbitrary system commands by supplying crafted input to the enginename attribute, which is evaluated within the application context. PoC require 'ostruct' def...

Improper Authorization Enforcement

github.com/rancher/rancher is vulnerable to improper authorization enforcement. The vulnerability is due to improper revocation of permissions after removing a custom GlobalRole or its binding, which allows an attacker to retain unauthorized administrative access to clusters when the role contain...

CVE-2026-22610

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting XSS vulnerability has been identified in the Angular Template Compiler. The...

CVE-2026-22610

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting XSS vulnerability has been identified in the Angular Template Compiler. The...

CVE-2026-22610

Angular contains an XSS vulnerability in the Template Compiler’s handling of SVG scripts where href/xlink:href are not treated as Resource URLs. Affected: Angular pre-patched releases before 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0. Impact is in the rendering/templating path; patch versions are ...

GHSA-JRMJ-C5CX-3CW6 Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

A Cross-Site Scripting XSS vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG elements as a Resource URL context. In a standard security model,...

PT-2026-2230

Name of the Vulnerable Software and Affected Versions Angular versions prior to 19.2.18 Angular versions prior to 20.3.16 Angular versions prior to 21.0.7 Angular version 21.1.0-rc.0 Description Angular is a development platform for building mobile and desktop web applications using...

EUVD-2024-2583

Malicious code in bioql PyPI...

CVE-2024-41515

A reflected cross-site scripting XSS vulnerability in "ccHandlerResource.ashx" in CADClick = 1.11.0 allows remote attackers to inject arbitrary web script or HTML via the "resurl" parameter...

CVE-2024-43371

CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their...

PT-2024-30535 · Ckan +3 · Ckan +5

Name of the Vulnerable Software and Affected Versions: CKAN versions prior to 2.10.5 CKAN versions prior to 2.11.0 Description: CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy,...

SUSE CVE-2011-0071

Directory traversal vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 on Windows allows remote attackers to determine the existence of arbitrary files, and possibly load resources, via vectors involving a resource: URL...

SUSE CVE-2015-0816

Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as...

Arbitrary Script Injection

Overview Affected versions of this package are vulnerable to Arbitrary Script Injection. Attributes were not protected via $sce, which prevents interpolated values that fail the RESOURCEURL context tests from being used in interpolation. For example if the application is running at...

Mozilla Firefox < 37.0 Multiple Vulnerabilities

Binary data 8742.prm...

thunderbird: multiple issues

CVE-2015-0801 same-origin bypass: Mozilla developer Olli Pettay reported that while investigating Mozilla Foundation Security Advisory 2015-28, he and Mozilla developer Boris Zbarsky found an alternate way to trigger a similar vulnerability. The previously reported flaw used an issue with SVG...

resource:// documents can load privileged pages — Mozilla

Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, that documents loaded though a resource: URL, such as Mozilla's PDF.js PDF file viewer, were able to subsequently load privileged chrome pages. The privilege restrictions on resource: URLs was handled...

Protection Bypass

Overview Affected versions of this package are vulnerable to Protection Bypass via ng-attr-action and ng-attr-srcdoc allowing binding to Javascript. The fix was to require bindings to formaction to be $sce.RESOURCEURL and bindings to iframesrcdoc to be $sce.HTML Remediation Upgrade angularjs to...