Lucene search
K

8 matches found

NVD
NVD
added 2026/06/23 6:18 p.m.12 views

CVE-2026-52846

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as img src=x onerror=alert, can bypass the tag-stripping logic, potentially leaving dangerous...

4.2CVSS0.00153EPSS
Exploits1References1
NVD
NVD
added 2026/06/17 11:17 p.m.10 views

CVE-2026-45617

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in striphtml filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many script...

7.5CVSS0.00385EPSS
Exploits0References3
NVD
NVD
added 2026/06/17 11:17 p.m.12 views

CVE-2026-44644

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the striphtml filter logic. The striphtml filter is intended to remove HTML tags from a string before rendering, and is widely used as an XS...

6.1CVSS0.00203EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/17 9:50 p.m.16 views

CVE-2026-44644 LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the striphtml filter logic. The striphtml filter is intended to remove HTML tags from a string before rendering, and is widely used as an XS...

6.1CVSS0.00203EPSS
Exploits0References3
OSV
OSV
added 2026/05/27 6:8 p.m.7 views

GHSA-R7G9-XPMJ-5FCQ LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex

Summary The built-in striphtml filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many |||/g, '' The regex contains four lazy patterns: 1. 2. 3. 4. For an input like 'script'.repeatN, the engine encounters N starting positions. At each one it mus...

7.5CVSS5.8AI score0.00385EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.11 views

PT-2026-44156

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.26.0 Description The built-in strip html filter uses a regular expression containing four flawed lazy-quantified alternatives. When processing input with numerous script, style, or !-- opener tokens that lack...

7.5CVSS5.2AI score0.00385EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.17 views

PT-2026-43458

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.26.0 Description A flaw in the strip html filter logic allows for Cross-Site Scripting XSS. The filter is designed to remove HTML tags from strings to act as a sanitizer; however, it uses a regular expression wher...

6.1CVSS5.6AI score0.00203EPSS
Exploits0References7
Snyk
Snyk
added 2026/03/07 6:44 p.m.3 views

Cross-site Scripting (XSS)

Overview league/commonmark is a PHP-based Markdown parser which supports the full CommonMark spec. It is based on the CommonMark JS reference implementation. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the DisallowedRawHtml extension when a newline, tab, or...

6.1CVSS5.7AI score0.00217EPSS
Exploits0References2
Rows per page
Query Builder