2 matches found
CVE-2026-59923 Mistune: XSS via percent-encoded javascript URI bypass in safe_url()
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safeurl does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version...
New Firefox iFrame Bug Bypasses URL Protections
UPDATED–There is a bug in Mozilla’s flagship Firefox browser related to the way the browser handles obfuscated URLs in iFrames. However, a Mozilla official said the bug poses “very low” risk to users. Johnathan Nightingale of Mozilla said in a blog post late Tuesday that the bug poses little risk...