Lucene search
K

25 matches found

Cvelist
Cvelist
added 2026/05/28 5:12 p.m.28 views

CVE-2026-45348 pyLoad: Stored XSS in Downloads view via unsanitized link URL in packages.js template literal

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to...

8.7CVSS0.00199EPSS
Exploits0References1
OSV
OSV
added 2026/05/14 8:23 p.m.5 views

GHSA-FCJQ-435V-JX94 pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal

Summary The packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $div.htmlhtml. No escaping runs between the API value and innerHTML. An...

8.7CVSS5.9AI score0.00199EPSS
Exploits0References3
OSV
OSV
added 2026/04/23 4:39 p.m.6 views

SUSE-SU-2026:1581-1 Security update for go1.25-openssl

This update for go1.25-openssl fixes the following issues: - Update to go1.25.9 bsc1244485. - CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG bsc1261653. - CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination bsc1261654. - CVE-2026-27144:...

9.8CVSS5.6AI score0.00658EPSS
Exploits0References20
OSV
OSV
added 2026/04/20 2:2 p.m.8 views

OPENSUSE-SU-2026:20570-1 Security update for go1.25

This update for go1.25 fixes the following issues: - Update to version go1.25.9 bsc1244485. - CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG bsc1261653. - CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination bsc1261654. - CVE-2026-27144:...

9.8CVSS5.8AI score0.00658EPSS
Exploits0References19
OSV
OSV
added 2026/04/20 2:0 p.m.5 views

SUSE-SU-2026:21356-1 Security update for go1.26

This update for go1.26 fixes the following issues: - Update to version go1.26.2 bsc1255111. - CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG bsc1261653. - CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination bsc1261654. - CVE-2026-27144:...

9.8CVSS5.7AI score0.00658EPSS
Exploits0References22
Tenable Nessus
Tenable Nessus
added 2026/04/09 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2026-32289

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used...

6.1CVSS7.1AI score0.0029EPSS
Exploits0References4
OSV
OSV
added 2026/03/27 9:15 p.m.4 views

CVE-2026-33943 Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in ECMAScriptModuleCompiler allows an attacker to achieve Remote Code Execution RCE by injecting arbitrary JavaScript expressions insi...

8.8CVSS6.1AI score0.00788EPSS
Exploits1References5
SUSE CVE
SUSE CVE
added 2025/12/12 12:25 a.m.5 views

SUSE CVE-2025-65026

esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...

9.6CVSS6.8AI score0.00438EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2025/11/26 4:56 p.m.3 views

CVE-2025-65026

esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...

6.1CVSS6.8AI score0.00438EPSS
Exploits1References1
EUVD
EUVD
added 2025/11/19 8:31 p.m.4 views

EUVD-2025-198180

esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript...

6.1CVSS6.7AI score0.00438EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2025/11/19 8:31 p.m.9 views

esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript

Summary The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a...

9.6CVSS7.5AI score0.00438EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2025/11/19 8:31 p.m.6 views

GHSA-HCPF-QV9M-VFGP esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript

Summary The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a...

6.1CVSS7.5AI score0.00438EPSS
Exploits1References4
NVD
NVD
added 2025/11/19 6:15 p.m.10 views

CVE-2025-65026

esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...

9.6CVSS0.00438EPSS
Exploits1References2
Cvelist
Cvelist
added 2025/11/19 5:33 p.m.12 views

CVE-2025-65026 esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript

esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...

6.1CVSS0.00438EPSS
Exploits1References2
CVE
CVE
added 2025/11/19 5:33 p.m.24 views

CVE-2025-65026

CVE-2025-65026 affects esm.sh prior to version 136. The vulnerability arises when the CSS-to-JavaScript module conversion inserts CSS into a JavaScript template literal without sanitization, allowing template literals to execute ${...} expressions. This can enable XSS in browsers and potential RC...

9.6CVSS6.4AI score0.00438EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2025/11/19 5:33 p.m.6 views

CVE-2025-65026 esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript

esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...

6.1CVSS6.7AI score0.00438EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2025/11/19 12:0 a.m.5 views

PT-2025-47504

Name of the Vulnerable Software and Affected Versions esm.sh versions prior to 136 Description The esm.sh CDN service has an issue where CSS-to-JavaScript module conversion lacks proper sanitization. When a CSS file is requested with the ?module parameter, it is converted to a JavaScript module,...

6.1CVSS6.4AI score0.00438EPSS
Exploits1References11
RedHat Linux
RedHat Linux
added 2025/03/10 2:46 p.m.2 views

dompurify: Mutation XSS in DOMPurify Due to Improper Template Literal Handling

A flaw was found in DOMPurify. This vulnerability allows attackers to execute mutation-based Cross-site scripting mXSS via an incorrect template literal regular expression...

6.1CVSS5.8AI score0.00559EPSS
Exploits1References8
SUSE CVE
SUSE CVE
added 2025/02/27 2:56 a.m.3 views

SUSE CVE-2025-26791

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting mXSS...

4.2CVSS6.4AI score0.00559EPSS
Exploits1References4
OSV
OSV
added 2025/02/14 9:31 a.m.4 views

GHSA-VHXF-7VQR-MRJG DOMPurify allows Cross-site Scripting (XSS)

DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFEFORTEMPLATES is set to true, sometimes leading to mutation cross-site scripting mXSS...

4.5CVSS6.7AI score0.00559EPSS
Exploits1References6
Rows per page
Query Builder