2 matches found
CLSA-2026-1777026478 Fix CVE(s): CVE-2026-34980
SECURITY UPDATE: control-character injection in scheduler option handling - debian/patches/CVE-2026-34980.patch: filter control characters from IPP string option values and reject "special" PPD keywords cupsFilter, cupsFilter2, etc. reported back by job filters to prevent filter/command injection...
Weblate: Self-XSS can be achieved in the editor link using filter bypass
Description I saw the fixed issue in the https://hackerone.com/reports/223692 and i think i found another filter bypass. I noticed that we actually can use special keywords like %branchs, %files and %lines. So XSS can be achieved in this way: %branchs:alert1;//https:// if the branch will be named...