MIRAGE: Context-Aware Prompt Injection against Mobile GUI Agents Via User-Generated Content

Mobile graphical user interface GUI agents driven by vision-language models VLMs perceive the screen as rendered pixels and choose actions from what they see, so they cannot reliably separate trusted interface elements from user-generated content. We present MIRAGE Mobile Injection of Realistic...

CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from window.open calls directly to shell.openExternal without any validation or protocol allowlisting. An attacker who can place ...

Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails

Summary An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Projecta are affected if the Mailgen.generatePlaintextemail method is used and passed in user-generated content. The issue was discovered and reported by Edoardo Ottavianelli @edoardottt. Details...

mailgen 跨站脚本漏洞

mailgen is a mail generation library by the individual developer Elad Nava. A cross-site scripting vulnerability exists in mailgen version 2.0.31 and earlier, which stems from the generatePlaintext method not properly filtering HTML tags when processing user-generated content, which could lead to...

EUVD-2021-23972

Malware in sbrugna...

EUVD-2021-13490

Malware in sbrugna...

EUVD-2021-10752

Malware in sbrugna...

EUVD-2022-7050

Malicious code in bioql PyPI...

EUVD-2022-7147

Malicious code in bioql PyPI...

EUVD-2022-7082

Malicious code in bioql PyPI...

EUVD-2022-2355

Malicious code in bioql PyPI...

EUVD-2024-0455

Malicious code in bioql PyPI...

Cross-Site Scripting (XSS)

ibexa/admin-ui is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of user-generated content, allowing attackers with Editor or Administrator privileges to inject persistent XSS payloads that can later execute in the front office...

CVE-2024-23905

Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download...

CVE-2022-43433

Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download...

CVE-2022-43434

Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download...

CVE-2021-26698

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet user-generated content when a sharing link is created and the dl parameter is used...

CVE-2021-37403

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet user-generated content when a sharing link is created and an App Loader relative URL is used...

CVE-2020-2214

Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download...

Google Algorithm Slashes Reddit Traffic: What It Means for UGC Platforms

Reddit Struggles After Google's New Focus on Expertise...