GHSA-CH4J-VCF5-58X5 Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option

Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function and rendered via Vue's v-html directive witho...

CVE-2026-45228

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders pushconfig key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the...

CVE-2026-44245 Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...

GHSA-Q98M-7W8C-W388 Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component

Summary Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows...

CVE-2025-68942

Gitea before 1.22.2 allows XSS because the search input box for creating tags and branches is v-html instead of v-text...

Cross Site Scripting (XSS)

NiceGUI is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the ui.interactiveimage component rendering SVG content using Vue’s v-html directive without sanitization, which allows an attacker to inject malicious HTML or JavaScript via the SVG tag when the image component is...