Lucene search
K

104 matches found

Nuclei
Nuclei
added 14 hours ago17 views

Label Studio < 1.16.0 - Cross-Site Scripting

Label Studio prior to version 1.16.0 contains a cross-site scripting caused by rendering unsanitized user-provided HTML in the /projects/upload-example endpoint, letting attackers execute arbitrary JavaScript via crafted labelconfig in a GET request, exploit requires victims to visit malicious UR...

6.1CVSS6.2AI score0.01778EPSS
Exploits2References2
Cvelist
Cvelist
added 3 days ago28 views

CVE-2026-56354 n8n - Cross-Site Scripting and Open Redirect in Form Node

n8n before 1.123.24, 2.10.4, and 2.12.0 across its 1.x and 2.x branches contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields and overly permissive iframe sandbox policies. Authenticated users with workflow creation permissions...

5.1CVSS0.00186EPSS
Exploits0References2
NVD
NVD
added 6 days ago9 views

CVE-2026-55647

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, dashboard text components render stored component content with Vue v-html without server-side HTML sanitization, allowing an authenticated user who can edit dashboard component data to inject HTML with executable...

5.1CVSS0.00269EPSS
Exploits0References3
CVE
CVE
added 6 days ago12 views

CVE-2026-55647

DataEase (open source data visualization/analysis tool) contains an XSS flaw in dashboard text components. Before version 2.10.24, stored content rendered via Vue v-html without server-side sanitization, enabling an authenticated user who can edit dashboard component data to inject HTML with exec...

5.1CVSS6AI score0.00269EPSS
Exploits0References3
NVD
NVD
added 2026/06/27 8:16 a.m.13 views

CVE-2026-9233

The Quiz and Survey Master QSM – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00272EPSS
Exploits0References12
Cvelist
Cvelist
added 2026/06/27 6:50 a.m.33 views

CVE-2026-9233 Quiz and Survey Master (QSM) <= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via qsm_insert_quiz_template AJAX Action

The Quiz and Survey Master QSM – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00272EPSS
Exploits0References12
ATTACKERKB
ATTACKERKB
added 2026/06/27 6:50 a.m.9 views

CVE-2026-9233

The Quiz and Survey Master QSM – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS5.9AI score0.00272EPSS
Exploits0References13
EUVD
EUVD
added 2026/06/27 6:50 a.m.11 views

EUVD-2026-39952

The Quiz and Survey Master QSM – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS5.9AI score0.00272EPSS
Exploits0References12
CVE
CVE
added 2026/06/27 6:50 a.m.22 views

CVE-2026-9233

CVE-2026-9233 affects the WordPress plugin Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker up to version 11.1.4 . The root cause is an authorization bypass in the AJAX action qsm_insert_quiz_template , allowing authenticated users with contributor-level access and above to create, modif...

4.3CVSS5.9AI score0.00272EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/06/27 12:0 a.m.15 views

PT-2026-53058

Name of the Vulnerable Software and Affected Versions Quiz and Survey Master QSM – Easy Quiz and Survey Maker versions prior to 11.1.5 Description An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. Authenticated attacker...

4.3CVSS5.9AI score0.00272EPSS
Exploits0References18
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50597

Name of the Vulnerable Software and Affected Versions Filament versions 3.0.0 through 3.3.52 Description A disabled RichEditor field renders its raw state without sanitizing HTML. If the data stored in the field's state was not previously sanitized when the form state was filled, an attacker can...

7.6CVSS5.8AI score0.00168EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:6 p.m.12 views

EUVD-2026-35395

TYPO3 CMS has Cross-Site Scripting in Indexed Search...

5.1CVSS5.2AI score0.00269EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/10 2:2 p.m.12 views

EUVD-2026-36041

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrapline app/modules/common/common.py:181-186 and highlightword app/modules/common/common.py:188-192 build raw HTML by string concatenation with no escaping. The frontend...

6.1CVSS5.4AI score0.00149EPSS
Exploits0References1
NVD
NVD
added 2026/06/09 5:17 p.m.13 views

CVE-2026-46492

md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting XSS vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injecte...

7.2CVSS0.00213EPSS
Exploits0References2
CVE
CVE
added 2026/06/09 4:9 p.m.29 views

CVE-2026-46492

md-fileserver önce 1.10.3 sürümünden önce HTML içeren Markdown içeriğini güvenli olmayan şekilde render ediyor; bu, kullanıcı tarafından sağlanan Markdown içeriğinde yer alan [removed] gibi ham HTML’nin sayfaya güvenliksız olarak enjekte edilmesine yol açıyor. Etkilenen bileşenler arasında Markdo...

7.2CVSS5.4AI score0.00213EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/26 5:39 p.m.13 views

Cross-site Scripting (XSS)

Overview @typebot.io/js is a Javascript library to display typebots on your website Affected versions of this package are vulnerable to Cross-site Scripting XSS in the RatingButton component when unsanitized SVG or HTML is rendered via the innerHTML directive. An attacker can gain access to sessi...

8.7CVSS5.6AI score0.00257EPSS
Exploits0References2
OSV
OSV
added 2026/05/21 5:57 p.m.13 views

GHSA-32Q2-HHR5-6QVV md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)

Summary A cross-site scripting XSS vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution ...

7.2CVSS6AI score0.00213EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.20 views

PT-2026-42666

Name of the Vulnerable Software and Affected Versions md-fileserver versions prior to 1.10.3 Description A cross-site scripting XSS issue exists in the Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML, such as tags or event handlers e.g., , is processed...

7.2CVSS5.5AI score0.00213EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/15 9:28 p.m.15 views

EUVD-2026-30659

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS CVE-2026-44549. The same root cause — XLSX.utils.sheettohtml output rendered via @html excelHtml without DOMPurify ...

7.3CVSS5.8AI score0.00318EPSS
Exploits2References1
Github Security Blog
Github Security Blog
added 2026/05/14 8:18 p.m.13 views

Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)

Related advisory This advisory tracks a regression of the original Excel-preview XSS that was publicly disclosed and patched under GHSA-jwf8-pv5p-vhmc patched in v0.8.0. The same root cause — XLSX.utils.sheettohtml output rendered via @html excelHtml without DOMPurify — was reintroduced sometime...

5.4CVSS5.8AI score0.00209EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder