Cross-site Scripting (XSS)

Overview org.webjars.npm:tinymce is a WebJar for tinymce. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of SVG namespace scope by the sanitizer. An attacker can execute arbitrary JavaScript by crafting a payload with nested SVG elements that...

Cross-site Scripting (XSS)

Overview org.webjars.npm:tinymce is a WebJar for tinymce. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes. An attacker can execute arbitrary scripts in the context of the user's browser by...

Cross-site Scripting (XSS)

Overview org.webjars.npm:tinymce is a WebJar for tinymce. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the media plugin when handling crafted data-mce- attributes. An attacker can execute arbitrary scripts in the context of the user's browser by injecting...

Cross-site Scripting (XSS)

Overview org.webjars.npm:tinymce is a WebJar for tinymce. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the mce:protected comments. An attacker can execute arbitrary scripts in the context of affected users by injecting malicious content that bypasses sanitizati...

XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin

Impact A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requir...

PT-2026-43465

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 16.10.17 XWiki versions prior to 17.4.9 XWiki versions prior to 17.10.3 XWiki versions prior to 18.0.0RC1 Description A path traversal issue allows an attacker to write arbitrary files, which could lead to overriding...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-44002 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

Infinite loop

Overview org.webjars.npm:node-forge is a WebJar for node-forge. Affected versions of this package are vulnerable to Infinite loop via the modInverse function. An attacker can cause the application to hang indefinitely and consume excessive CPU resources by supplying a zero value as input, resulti...

Interpretation Conflict

Overview org.webjars.npm:node-forge is a WebJar for node-forge. Affected versions of this package are vulnerable to Interpretation Conflict via the asn1.validate function. An attacker can cause schema validation to become desynchronized, resulting in semantic divergence that may allow bypassing...

Prototype Pollution

Overview org.webjars.npm:expr-eval is a WebJar for expr-eval Affected versions of this package are vulnerable to Prototype Pollution via the evaluation process, which accesses global values by searching for item.value in expr.functions. An attacker can access prototype, proto, constructor, and...

Incomplete Filtering of Special Elements

Overview org.webjars.npm:angular is a WebJar for angular. Affected versions of this package are vulnerable to Incomplete Filtering of Special Elements due to improper sanitization of the href and xlink:href attributes in SVG elements. An attacker can bypass image source restrictions and negativel...

Incomplete Filtering of Special Elements

Overview org.webjars.bower:angular is a bower WebJar for angular. Affected versions of this package are vulnerable to Incomplete Filtering of Special Elements due to improper sanitization of the href and xlink:href attributes in SVG elements. An attacker can bypass image source restrictions and...

org.webjars.bower:boosted (>=3.2.0 <=3.3.3), org.webjars.bower:jpkleemans-angular-validate (=1.1.1) +14 more potentially affected by CVE-2025-3573 via org.webjars.bower:jquery-validation (>=1.13.1 <=1.19.5)

org.webjars.bower:jquery-validation MAVEN version =1.13.1, =3.2.0, =0.1.13, =1.8.0, =2.6.0, =2.7.1, =2.9.1, =3.27.0, =3.28.2, =3.31.0 and more Source cves: CVE-2025-3573 Source advisory: SNYK:JAVA-ORGWEBJARSBOWER-9788112...

Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14

Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 Vaadin 14.0.0 through 14.4.4 allows remote attackers to execute malicious JavaScript in browser by opening crafted URL...

CVE-2021-33611 Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14

Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 Vaadin 14.0.0 through 14.4.4 allows remote attackers to execute malicious JavaScript in browser by opening crafted URL...

Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14

Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 Vaadin 14.0.0 through 14.4.4 allows remote attackers to execute malicious JavaScript in browser by opening crafted URL. See CWE-79: Improper Neutralization of Input During We...

GHSA-66Q9-F7FF-MMX6 Local file inclusion vulnerability in http4s

Impact This vulnerability applies to all users of: org.http4s.server.staticcontent.FileService org.http4s.server.staticcontent.ResourceService org.http4s.server.staticcontent.WebjarService Path escaping URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expos...