PT-2026-29855

Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl format check, missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The updat...

GHSA-FVWQ-45QV-XVHV CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization

Summary The fix for CVE-2025-35939 in craftcms/cms introduced a striptags call in src/web/User.php to sanitize return URLs before they are stored in the session. However, striptags only removes HTML tags angle brackets -- it does not inspect or filter URL schemes. Payloads like...

Stored-XSS-in-node-html-markdown-2.0.0

Stored XSS in node-html-markdown ≤ 2.0.0 Overview This re...

CVE-2026-22029

React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router and Remix v1/v2 SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs...

React Router vulnerable to XSS via Open Redirects

React Router and Remix v1/v2 SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths...

EUVD-2022-5057

Malicious code in bioql PyPI...

EUVD-2023-2869

Malicious code in bioql PyPI...

CVE-2018-20583

Cross-site scripting XSS vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML even if allowunsafelinks is false via a newline character e.g., writing javascript as javascri%0apt...

Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc

Summary An unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around the javascript: protocol scheme in the URL. Details The parsing logic implement at...

PT-2024-23768 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions prior to 1.0.0 Description: A stored Cross-Site Scripting XSS vulnerability exists in the mintplex-labs/anything-llm application. The vulnerability arises from the application's failure to properly sanitize...

CVE-2023-45593

A CWE-184 “Incomplete List of Disallowed Inputs” vulnerability in the embedded Chromium browser concerning the handling of alternative URLs, other than “ http://localhost” allows a physical attacker to read arbitrary files on the file system, alter the configuration of the embedded browser, and...

Server Side Request Forgery

google-translate-api-browser is vulnerable to Server Side Request Forgery. The vulnerability is due to improper sanitization of the translateOptions.tld field in the Google translate URL. If an application utilizing the package exposes the translateOptions to the end user, an attacker can set a...

CVE-2023-48711 Server-Side Request Forgery (SSRF) Vulnerability in google-translate-api-browser

google-translate-api-browser is an npm package which interfaces with the google translate web api. A Server-Side Request Forgery SSRF Vulnerability is present in applications utilizing the google-translate-api-browser package and exposing the translateOptions to the end user. An attacker can set ...

PHP League CommonMark vulnerable to Cross-Site Scripting (XSS)

Cross-site scripting XSS vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML even if allowunsafelinks is false via a newline character e.g., writing javascript as javascri%0apt...

GHSA-QX76-C53F-5C7Q PHP League CommonMark vulnerable to Cross-Site Scripting (XSS)

Cross-site scripting XSS vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML even if allowunsafelinks is false via a newline character e.g., writing javascript as javascri%0apt...

MGASA-2021-0185 Updated wireshark packages fix a security vulnerability

Wireshark could open unsafe URLs CVE-2021-22191...

Wireshark 3.4.x < 3.4.4 A Vulnerability (macOS)

The version of Wireshark installed on the remote macOS / Mac OS X host is prior to 3.4.4. It is, therefore, affected by a vulnerability as referenced in the wireshark-3.4.4 advisory. - Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via...

CVE-2018-20583

Cross-site scripting XSS vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML even if allowunsafelinks is false via a newline character e.g., writing javascript as javascri%0apt...

Cross site scripting

Cross-site scripting XSS vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML even if allowunsafelinks is false via a newline character e.g., writing javascript as javascri%0apt...

CVE-2018-20583

Cross-site scripting XSS vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML even if allowunsafelinks is false via a newline character e.g., writing javascript as javascri%0apt...