EUVD-2026-25297

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...

PT-2026-34746

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...

CVE-2026-33482

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the sanitizeFFmpegCommand function in plugin/API/standAlone/functions.php is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters &&, ;, |, , . However, it fails ...

EUVD-2025-204022

The Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sanitizepdfsrc function regex bypass in all versions up to, and including, 2.7.10 due to insufficient input sanitization and output escaping. This makes i...

Uncontrolled Recursion

express-xss-sanitizer is vulnerable to uncontrolled recursion. The vulnerability is due to an unbounded recursion depth in the sanitize function in lib/sanitize.js when processing a JSON request body, which allows an attacker to cause a denial of service by triggering infinite recursion...

EUVD-2015-1185

Malware in sbrugna...

EUVD-2024-0096

Malicious code in bioql PyPI...

express-xss-sanitizer has an unbounded recursion depth

Security Advisory: express-xss-sanitizer Overview A vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion depth during sanitization of nested objects. Affected Versions - All versions prior to 2.0.1 Patched Versions - 2.0.1 and later Description The sanitize...

CVE-2025-59364

The express-xss-sanitizer aka Express XSS Sanitizer package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body...

CVE-2025-59364

The express-xss-sanitizer aka Express XSS Sanitizer package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body...

CVE-2025-59364

The express-xss-sanitizer aka Express XSS Sanitizer package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body...

Uncontrolled Recursion

Overview express-xss-sanitizer is an Express 4.x middleware which sanitizes user input data in req.body, req.query, req.headers and req.params to prevent Cross Site Scripting XSS attack. Affected versions of this package are vulnerable to Uncontrolled Recursion via the sanitize function in...

CVE-2025-59364

The express-xss-sanitizer aka Express XSS Sanitizer package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body...

PT-2025-37434

Name of the Vulnerable Software and Affected Versions express-xss-sanitizer versions through 2.0.0 Description The express-xss-sanitizer package contains an unbounded recursion depth in the sanitize function located in lib/sanitize.js when processing a JSON request body. Recommendations Update to...

CVE-2020-14413

NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta=...

Cross-Site Scripting (XSS)

@lumieducation/h5p-server is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the omission of the sanitizeHtml function call for plain text strings, which allows attackers to inject malicious HTML or JavaScript code...

Lollms vulnerable to Cross-site Scripting

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitizesvg function, this can lead to cross-site scripting XSS vulnerabilities, which in turn pose a risk of remote code...

CVE-2024-6581

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitizesvg function, this can lead to cross-site scripting XSS vulnerabilities, which in turn pose a risk of remote code...

CVE-2023-46967

Cross Site Scripting vulnerability in the sanitize function in Enhancesoft osTicket 1.18.0 allows a remote attacker to escalate privileges via a crafted support ticket...

Cross site scripting

Cross Site Scripting vulnerability in the sanitize function in Enhancesoft osTicket 1.18.0 allows a remote attacker to escalate privileges via a crafted support ticket...