916 matches found
CVE-2026-64184
In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: call missing memcgroupiterbreak damonsysfsmemcgpathtoid breaks memcgroupiter loop without calling memcgroupiterbreak. This leaks the cgroup reference. Fix the issue by calling memcgroupiterbreak before the...
EUVD-2026-45869
In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: call missing memcgroupiterbreak damonsysfsmemcgpathtoid breaks memcgroupiter loop without calling memcgroupiterbreak. This leaks the cgroup reference. Fix the issue by calling memcgroupiterbreak before the...
SUSE CVE-2026-59929
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safeurl filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:...
Linux Distros Unpatched Vulnerability : CVE-2026-59929
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safeurl filter in src/mistune/renderers/html.py blocks only javascript:,...
CVE-2026-59802
PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the validurl function. Attackers can create malicious pushes containing data:text/html URIs that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the safeurl process. An attacker can inject malicious URLs into rendered href and src attributes by crafting links that use legacy or chained schemes, potentially leading to script execution in affected user...
DEBIAN-CVE-2026-59929
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safeurl filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:...
CVE-2026-59929
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safeurl filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:...
CVE-2026-59929
Mistune is a Python Markdown parser. CVE-2026-59929 affects the safe_url filter in src/mistune/renderers/html.py prior to version 3.3.0, which blocks only javascript:, vbscript:, file:, and data: schemes. This allowed legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha...
CVE-2026-59929 Mistune renderers/html.safe_url: HARMFUL_PROTOCOLS list misses legacy and chained schemes that historically chain to `javascript:` execution
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safeurl filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:...
CVE-2026-59929 Mistune renderers/html.safe_url: HARMFUL_PROTOCOLS list misses legacy and chained schemes that historically chain to `javascript:` execution
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safeurl filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:...
PT-2026-56512
Name of the Vulnerable Software and Affected Versions Mistune versions prior to 3.3.0 Description The safe url filter in src/mistune/renderers/html.py fails to block several legacy or chained URI schemes. While it restricts javascript:, vbscript:, file:, and data:, it allows schemes such as feed:...
PT-2026-56075
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2 Description The coder open app command opens external workspace-app URLs without validating the scheme or host. If an...
GHSA-7FQC-P256-7PWJ Steeltoe's static JWKS cache shared across schemes and never invalidated
Summary The JWT signing key cache in TokenKeyResolver uses kid as the sole cache key without namespacing by authority. In applications with multiple JwtBearer schemes pointing to different identity providers, a key fetched for one scheme can satisfy token validation for another. Additionally,...
CVE-2026-55661 TinaCMS rich-text (slatejson) rendering does not sanitize link/image URLs, allowing stored XSS via dangerous URL schemes
Tina is a headless content management system. In versions prior to @tinacms/mdx 2.1.7 and tinacms 3.9.3, rich-text parsing and the default link/image renderers did not sanitize the url field on Slate link/image nodes. Content containing javascript: or data:text/html URLs — including case-variant,...
CVE-2026-53606
A flaw was found in sanitize-html, an HTML sanitizer library. This vulnerability allows a remote attacker to perform Cross-Site Scripting XSS attacks. The issue occurs because the sanitizer does not properly validate dangerous URI schemes, such as javascript:, when they are used in certain HTML...
CVE-2026-54889
Summary: CVE-2026-54889 security issue in Elixir.MDEx.mdex Delta conversion path allows XSS via unsanitized URL schemes in Quill Delta output. The vulnerability arises when Elixir.MDEx.DeltaConverter.default_convert_node/3 copies the URL from link, wikilink, or image nodes into the Delta attribut...
EEF-CVE-2026-54889 Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)
Summary Improper Neutralization of Input During Web Page Generation XSS vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to\delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default\convert\node/3...
PT-2026-53687
Name of the Vulnerable Software and Affected Versions leandrocp mdex versions 0.8.3 through 0.13.1 Description Improper neutralization of input during web page generation allows cross-site scripting XSS via unsanitized URL schemes in Quill Delta output. The function to delta/2 converts Markdown...
EUVD-2026-31691
Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes...