25 matches found
CVE-2026-45348 pyLoad: Stored XSS in Downloads view via unsanitized link URL in packages.js template literal
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to...
GHSA-FCJQ-435V-JX94 pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal
Summary The packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $div.htmlhtml. No escaping runs between the API value and innerHTML. An...
SUSE-SU-2026:1581-1 Security update for go1.25-openssl
This update for go1.25-openssl fixes the following issues: - Update to go1.25.9 bsc1244485. - CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG bsc1261653. - CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination bsc1261654. - CVE-2026-27144:...
OPENSUSE-SU-2026:20570-1 Security update for go1.25
This update for go1.25 fixes the following issues: - Update to version go1.25.9 bsc1244485. - CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG bsc1261653. - CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination bsc1261654. - CVE-2026-27144:...
SUSE-SU-2026:21356-1 Security update for go1.26
This update for go1.26 fixes the following issues: - Update to version go1.26.2 bsc1255111. - CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG bsc1261653. - CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination bsc1261654. - CVE-2026-27144:...
Linux Distros Unpatched Vulnerability : CVE-2026-32289
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used...
CVE-2026-33943 Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in ECMAScriptModuleCompiler allows an attacker to achieve Remote Code Execution RCE by injecting arbitrary JavaScript expressions insi...
SUSE CVE-2025-65026
esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...
CVE-2025-65026
esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...
EUVD-2025-198180
esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript...
esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
Summary The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a...
GHSA-HCPF-QV9M-VFGP esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
Summary The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a...
CVE-2025-65026
esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...
CVE-2025-65026 esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...
CVE-2025-65026
CVE-2025-65026 affects esm.sh prior to version 136. The vulnerability arises when the CSS-to-JavaScript module conversion inserts CSS into a JavaScript template literal without sanitization, allowing template literals to execute ${...} expressions. This can enable XSS in browsers and potential RC...
CVE-2025-65026 esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...
PT-2025-47504
Name of the Vulnerable Software and Affected Versions esm.sh versions prior to 136 Description The esm.sh CDN service has an issue where CSS-to-JavaScript module conversion lacks proper sanitization. When a CSS file is requested with the ?module parameter, it is converted to a JavaScript module,...
dompurify: Mutation XSS in DOMPurify Due to Improper Template Literal Handling
A flaw was found in DOMPurify. This vulnerability allows attackers to execute mutation-based Cross-site scripting mXSS via an incorrect template literal regular expression...
SUSE CVE-2025-26791
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting mXSS...
GHSA-VHXF-7VQR-MRJG DOMPurify allows Cross-site Scripting (XSS)
DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFEFORTEMPLATES is set to true, sometimes leading to mutation cross-site scripting mXSS...