22 matches found
CVE-2026-47344
When ALLOWINSECURERAWTEXT is enabled, whitespace-variant closing tags e.g., are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitiz...
HTML Sanitizer 跨站脚本漏洞
HTML Sanitizer is an HTML security filtering component open-sourced by the TYPO3 GitHub Department. Versions of HTML Sanitizer prior to 2.3.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from incorrect encoding of namespace attributes during HTML serialization, which...
Cross-site Scripting
TinyMCE is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper SVG namespace scope handling in the sanitizer, where crafted nested SVG elements can bypass attribute sanitization and execute arbitrary JavaScript, resulting in cross-site scripting attacks...
CVE-2026-47760
TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This...
PT-2026-44389
Name of the Vulnerable Software and Affected Versions TinyMCE versions 6.8.0 through 7.0.x Description An XSS Cross-Site Scripting issue exists due to improper SVG namespace scope handling within the sanitizer. An attacker can use a crafted payload with nested elements to bypass attribute...
CVE-2026-40301
DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize allows...
CVE-2026-31807
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG blocks dangerous elements...
GHSA-G9GQ-3PFX-2GW2 OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization
Summary It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not...
EUVD-2022-6830
Malicious code in bioql PyPI...
CVE-2025-55166
savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains. Thi...
CVE-2025-52561 HTMLSanitizer.jl Possible XSS
HTMLSanitizer.jl is a Whitelist-based HTML sanitizer. Prior to version 0.2.1, when adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution. This could...
CVE-2023-36471
Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishi...
CVE-2002-2034
The Email Sanitizer before 1.133 for Procmail allows remote attackers to bypass the mail filter and execute arbitrary code via crafted recursive multipart MIME attachments...
HTML sanitizer 安全漏洞
HTML sanitizer is an allowlist-based HTML cleaner by Matthias Kestenholz, a personal developer. A security vulnerability exists in HTML sanitizer, which is caused by specially crafted HTML that can escape cleaning...
PT-2023-18514 · Unknown · Svg-Sanitizer
Name of the Vulnerable Software and Affected Versions: sanitize-svg versions prior to 0.4.0 Description: The sanitize-svg package uses a deny-list-pattern to sanitize SVGs and prevent cross-site scripting attacks. However, literal -tags and on-event handlers were detected in versions prior to...
CVE-2022-21169 Prototype Pollution
The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization...
Express XSS Sanitizer 安全漏洞
Express XSS Sanitizer is a personal development by AhmedAdelFahim to clean user input data in req.body, req.query, req.headers and req.params to prevent cross-site scripting XSS attacks. express XSS Sanitizer A prototype contamination vulnerability exists in versions prior to 1.1.3, which stems...
PT-2022-4877
Name of the Vulnerable Software and Affected Versions Rails::Html::Sanitizer versions prior to 1.4.3 Description The issue is related to the incorrect use of select and style elements when overriding allowed tags in the HTML sanitizer for Rails applications. This can allow a remote attacker to...
com.github.promregator:promregator (>=0.6.3 <=0.9.0-rc1), com.lancethomps:lava (>=1.0.0 <=1.12.0) +160 more potentially affected by CVE-2021-23899 via com.mikesamuel:json-sanitizer (>=1.2.0 <=1.2.1)
com.mikesamuel:json-sanitizer MAVEN version =1.2.0, =0.6.3, =1.0.0, =1.0.0, =1.1.0, =1.1.0, =1.8.1, =1.0.0, =1.0.0, =1.0.0, =1.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.2.0 and more Source cves: CVE-2021-23899 Source advisory: OSV:GHSA-MM8J-9X84-M9CV...
UBUNTU-CVE-2020-4054
In Sanitize RubyGem sanitize greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's "relaxed" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized...