Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the lack of a security header on certain user-uploaded content served from repositories. An attacker can execute arbitrary scripts in the context of another user by uploading specially crafted content and...

CVE-2025-13488

The CVE-2025-13488 entry concerns Sonatype Nexus Repository 3 where a regression in version 3.83.0 stops applying a security header to certain user-uploaded content served from repositories, enabling stored XSS with user context. Affected component is the Nexus Repository 3 plugin chain handling ...

GHSA-4WX8-5GM2-2J97 filebrowser allows Stored Cross-Site Scripting through the Markdown preview function

Summary The Markdown preview function of File Browser v2.32.0 is vulnerable to Stored Cross-Site-Scripting XSS. Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser Impact A user can upload a malicious Markdown file to the application which can...

Cross Site Scripting(XSS)

camaleoncms is vulnerable to cross-site scripting XSS. The vulnerability is due to the ability for normal registered users to upload SVG images containing JavaScript or HTML documents by manipulating the format parameter, allowing malicious scripts to execute when an authenticated user or...

joola.io: X-Content-Type-Options header missing

Hello Team The doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google...