Lucene search
K

98 matches found

OSV
OSV
added 3 days ago4 views

EEF-CVE-2026-54889 Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)

Summary Improper Neutralization of Input During Web Page Generation XSS vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to\delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default\convert\node/3...

5.1CVSS5.7AI score0.0031EPSS
Exploits0References4
CVE
CVE
added 3 days ago9 views

CVE-2026-54889

Summary: CVE-2026-54889 security issue in Elixir.MDEx.mdex Delta conversion path allows XSS via unsanitized URL schemes in Quill Delta output. The vulnerability arises when Elixir.MDEx.DeltaConverter.default_convert_node/3 copies the URL from link, wikilink, or image nodes into the Delta attribut...

5.1CVSS5.7AI score0.0031EPSS
Exploits0References4
EUVD
EUVD
added 6 days ago14 views

EUVD-2026-31691

Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes...

8.7CVSS5.8AI score0.00703EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/06/18 1:7 p.m.6 views

TinaCMS rich-text (slatejson) rendering does not sanitize link/image URLs, allowing stored XSS via dangerous URL schemes

TinaCMS rich-text parsing and the default link/image renderers did not sanitize the url field on Slate link/image nodes. Content containing javascript: or data:text/html URLs — including case-variant, whitespace-padded, and control-character-obfuscated forms — is rendered into href/src and execut...

4.8CVSS5.2AI score
Exploits0References3Affected Software2
EUVD
EUVD
added 2026/06/12 12:30 p.m.7 views

EUVD-2026-36417

A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical...

1.8CVSS3.7AI score0.00106EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/06/02 7:8 p.m.8 views

CVE-2026-48597

Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.openconn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.toatomuri.scheme with no...

8.2CVSS5.8AI score0.00301EPSS
Exploits0References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/02 7:8 p.m.7 views

CVE-2026-48597 Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint

Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.openconn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.toatomuri.scheme with no...

8.2CVSS5.8AI score0.00301EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/02 7:8 p.m.38 views

CVE-2026-48597 Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint

Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.openconn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.toatomuri.scheme with no...

8.2CVSS0.00301EPSS
Exploits0References4
CVE
CVE
added 2026/06/02 7:8 p.m.28 views

CVE-2026-48597

The vulnerability CVE-2026-48597 affects elixir-tesla (Tesla) where Tesla.Adapter.Mint.open_conn/2 converts each outgoing request URL scheme to a BEAM atom using String.to_atom(uri.scheme) without an allow-list. Since BEAM atoms are not garbage-collected, an attacker who can influence the request...

8.2CVSS5.8AI score0.00301EPSS
Exploits0References4
PyPA
PyPA
added 2026/05/28 4:16 p.m.9 views

PYSEC-0000-CVE-2026-48522

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no...

4.2CVSS5.9AI score0.00181EPSS
Exploits1References1Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/05/27 12:0 a.m.17 views

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Vim vulnerabilities (USN-8304-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8304-1 advisory. Joshua Rogers discovered that Vim incorrectly handled certain URL schemes...

6.6CVSS6.2AI score0.00917EPSS
Exploits1References4
EUVD
EUVD
added 2026/05/07 8:1 p.m.12 views

EUVD-2026-28440

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in...

4.7CVSS5.9AI score0.00144EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/07 12:0 a.m.14 views

i18nextify 跨站脚本漏洞

i18nextify is an open-source Java library application developed by i18next. Versions prior to i18nextify 4.0.8 contained a cross-site scripting vulnerability. This vulnerability stemmed from the key interpolation token in the src and href attribute values, which did not validate the URL scheme...

4.7CVSS5.7AI score0.00144EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/05 7:52 p.m.13 views

CVE-2026-40280 Gotenberg SSRF via case-insensitive URL scheme bypass in webhook and downloadFrom deny-lists

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression ^https?:// to match URL schemes. Because Go's net/url.Parse normalizes...

7.8CVSS5.7AI score0.00463EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/05/05 7:52 p.m.29 views

CVE-2026-40280 Gotenberg SSRF via case-insensitive URL scheme bypass in webhook and downloadFrom deny-lists

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression ^https?:// to match URL schemes. Because Go's net/url.Parse normalizes...

7.8CVSS0.00463EPSS
Exploits1References3
CVE
CVE
added 2026/05/05 7:52 p.m.19 views

CVE-2026-40280

Gotenberg vulnerability (CVE-2026-40280) enables SSRF through a case-insensitive URL scheme bypass in the webhook and api-download-from deny-lists. In versions

7.8CVSS5.7AI score0.00463EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2026/05/01 4:16 p.m.6 views

CVE-2026-23866

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggerin...

4.3CVSS0.00464EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/01 4:2 p.m.33 views

CVE-2026-23866

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggerin...

4.3CVSS0.00464EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/30 2:47 p.m.9 views

CVE-2026-3861

LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily...

7.1CVSS5.3AI score0.00305EPSS
Exploits0References1
OSV
OSV
added 2026/04/14 11:35 p.m.4 views

GHSA-3M9M-24VH-39WX Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations

Required Permissions The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" "Create assets in the volume" Details The implementation fails to restrict the URL Scheme. While the application is intended to "upload assets", there is no...

7CVSS5.8AI score0.00275EPSS
Exploits0References4
Rows per page
Query Builder