Lucene search
K

312 matches found

OSV
OSV
added 5 days ago4 views

EEF-CVE-2026-54889 Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)

Summary Improper Neutralization of Input During Web Page Generation XSS vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to\delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default\convert\node/3...

5.1CVSS5.7AI score0.0031EPSS
Exploits0References4
NVD
NVD
added 2026/06/23 9:17 p.m.9 views

CVE-2026-53930

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse file:, ftp:, etc. and probing of internal HTTP...

5.1CVSS0.00288EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 7:42 p.m.25 views

CVE-2026-53930 NocoDB: Server-Side Request Forgery via Base Migration URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse file:, ftp:, etc. and probing of internal HTTP...

5.1CVSS0.00288EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in Firefox, Thunderbird

A website could have obscured the fullscreen notification by using a URL that was processed by an external program, such as a mailto URL. This could have caused confusion among users and potentially led to spoofing attacks. This vulnerability affects Firefox 115, Firefox ESR 102.13, and Thunderbi...

6.5CVSS6.7AI score0.00681EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in Thunderbird, Firefox

A website could have obscured the full-screen notification by using a URL that was processed by an external program, such as a mailto URL. This could have caused confusion among users and potentially led to spoofing attacks. This vulnerability affects Firefox 116, Firefox ESR 115.2, and Thunderbi...

6.5CVSS6.7AI score0.00657EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.18 views

PT-2026-51122

Name of the Vulnerable Software and Affected Versions Symfony UX Icons affected versions not specified Description The ux icon Twig function is marked as safe for HTML, which prevents Twig from escaping its output. The Icon::toHtml function inlines SVG source code directly into the page. Because...

6.1CVSS5.5AI score
Exploits0References6
Veracode
Veracode
added 2026/06/15 11:24 a.m.9 views

Cross-site Scripting

Nuxt is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient validation of URL schemes in the component, where attacker-controlled values supplied to the to or href props can contain javascript: or vbscript: URLs that are rendered directly into the underlying element,...

5.4CVSS5.6AI score0.00198EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/06/14 11:16 p.m.9 views

CVE-2026-12190

A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme. The attack can only be performed from a local environment...

5.3CVSS0.00105EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/14 10:45 p.m.30 views

CVE-2026-12190 Genspark AI Workspace App ai.mainfunc.genspark improper authorization in handler for custom url scheme

A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme. The attack can only be performed from a local environment...

5.3CVSS0.00105EPSS
Exploits0References5
CVE
CVE
added 2026/06/14 10:45 p.m.23 views

CVE-2026-12190

The CVE-2026-12190 entry concerns Genspark AI Workspace App version 2.8.4 on Android, affecting the ai.mainfunc.genspark component. The issue is described as improper authorization in the handler for a custom URL scheme, with exploitation limited to a local environment. The provided documents do ...

5.3CVSS5.5AI score0.00105EPSS
Exploits0References5
NVD
NVD
added 2026/06/12 7:16 p.m.16 views

CVE-2026-53407

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access...

9.8CVSS0.00231EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 5:57 p.m.8 views

EUVD-2026-36523

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access...

8.1CVSS5.3AI score0.00211EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 5:57 p.m.33 views

CVE-2026-53408

The CVE-2026-53408 vulnerability affects Zoom Workplace: Android before 7.0.4 and iOS before 7.0.3. It is due to Improper Authorization in the Handler for a Custom URL Scheme, enabling an unauthenticated privilege escalation via network access. The CVSSv3.1 base score is 8.1 (High) with Network a...

8.1CVSS5.3AI score0.00211EPSS
Exploits0References1Affected Software2
Vulnrichment
Vulnrichment
added 2026/06/12 5:56 p.m.11 views

CVE-2026-53407

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access...

8.1CVSS5.3AI score0.00231EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 5:56 p.m.29 views

CVE-2026-53407

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access...

8.1CVSS0.00231EPSS
Exploits0References1
NVD
NVD
added 2026/06/12 3:16 p.m.11 views

CVE-2026-53722

Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying element. When an application binds attacker-controlled input a...

5.4CVSS0.00198EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/12 12:30 p.m.25 views

CVE-2026-12065 Groww Stock, Mutual Fund, Gold App WebView URL improper authorization in handler for custom url scheme

A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical...

1.8CVSS0.00106EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/06/12 12:30 p.m.7 views

CVE-2026-12065 Groww Stock, Mutual Fund, Gold App WebView URL improper authorization in handler for custom url scheme

A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical...

1.8CVSS3.5AI score0.00106EPSS
Exploits0References6
CVE
CVE
added 2026/06/12 12:30 p.m.18 views

CVE-2026-12065

Groww Android app (Groww Stock, Mutual Fund, Gold App) up to 20260805 is affected due to improper authorization in the WebView URL Handler for a custom URL scheme. The issue is located in an unknown part of the WebView URL handling logic and can be triggered on a physical device. Exploitation sta...

1.8CVSS3.8AI score0.00106EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/06/08 11:0 p.m.24 views

PHPSpreadsheet has a patch bypass for CVE-2026-34084

Summary CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parseurl$filename, PHPURLSCHEME and then checks isstring$scheme && strlen$scheme 1 to reject stream wrappers such as phar://, php://, data:// or expect://. The check is not equivalent to "does the path conta...

9.8CVSS5.7AI score0.00712EPSS
Exploits2References3Affected Software1
Rows per page
Query Builder