Lucene search
+L

7 matches found

Snyk
Snyk
added 2026/04/22 7:55 p.m.7 views

Cross-site Scripting (XSS)

Overview @marko/runtime-tags is an Optimized runtime for Marko templates. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of interpolated values within or tags due to improper case-insensitive detection of closing tags. An attacker can execute arbitrar...

6.4CVSS5.8AI score0.00195EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.8 views

PT-2026-33912

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's Helper::stripDangerousTags removes , , , but does NOT strip tags. The mailbox signature field is saved via POST /mailbox/settings/id and later rendered unescaped via !!...

8.1CVSS5.9AI score0.00243EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/16 8:42 p.m.6 views

EUVD-2026-23104

ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context...

5.4CVSS5.8AI score0.0021EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/16 8:42 p.m.9 views

ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context

Summary The @apostrophecms/color-field module bypasses color validation for values prefixed with -- intended for CSS custom properties, but performs no HTML sanitization on these values. When styles containing attacker-controlled color values are rendered into tags — both in the global stylesheet...

5.4CVSS6.1AI score0.0021EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/04/15 7:29 p.m.19 views

CVE-2026-33889 ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the...

5.4CVSS0.0021EPSS
Exploits1References2
OSV
OSV
added 2026/04/06 5:20 p.m.3 views

CVE-2026-35046 Tandoor has a Stored CSS Injection via <style> Tag in Recipe Instructions (API-Level)

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean sanitizer explicitly whitelists the tag, causing the backend to...

5.4CVSS6.1AI score0.00173EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.10 views

Tandoor Recipes 跨站脚本漏洞

Tandoor Recipes is an open-source application designed for managing recipes, planning meals, creating shopping lists, and more. Versions of Tandoor Recipes prior to 2.6.4 contained a cross-site scripting vulnerability. This vulnerability stemmed from the ability to inject any tag into the recipe...

5.4CVSS5.7AI score0.00173EPSS
Exploits1References3
Rows per page
Query Builder