| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This executes arbitrary Turbo Stream actions — including redirect_to — in every victim's authenticated browser session, redirecting them to an attacker-controlled server. This vulnerability is fixed in 17.3.3 and 17.4.1. |
| Unauthenticated Cross Site Scripting (XSS) in SureCart <= 4.3.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions. |
| Contributor Cross Site Scripting (XSS) in StatCounter <= 2.1.1 versions. |
| Contributor Cross Site Scripting (XSS) in Magazine Blocks <= 1.8.3 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Responsive Lightbox <= 2.7.6 versions. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS.
This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.8. |
| Unauthenticated Cross Site Scripting (XSS) in Customer Reviews for WooCommerce <= 5.110.1 versions. |
| Contributor Cross Site Scripting (XSS) in SeedProd Pro < 6.19.5 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WoodMart <= 8.5.3 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Everest Forms <= 3.4.8 versions. |
| Subscriber Cross Site Scripting (XSS) in SureCart <= 4.2.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.12.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in FOX <= 1.4.8 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Blog2Social <= 8.9.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Automatic < 3.135.1 versions. |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply the same fix to model profile images. The ModelMeta class has no validate_profile_image_url field validator, and the model image serving endpoint has no MIME allowlist or nosniff header. Any authenticated user with workspace.models permission (enabled by default) can store a data:image/svg+xml;base64,... payload in a model's profile image and achieve full account takeover of anyone who navigates to the image URL. This vulnerability is fixed in 0.9.6. |
| Unauthenticated Cross Site Scripting (XSS) in MapPress Maps for WordPress <= 2.97.3 versions. |
| SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitize(true). The lute sanitizer is an event-handler blocklist: allowAttr rejects only attribute names present in a fixed eventAttrs map copied from the w3schools legacy handler list. That map omits modern event handlers. onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, and ontransitionend are not in the list, so the sanitizer passes them through verbatim on any tag. The frontend assigns the rendered HTML to mdElement.innerHTML in app/src/config/bazaar.ts with no client-side DOMPurify on this path, into a normal element in the main document (no iframe, no sandbox). The kernel sends no Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options header on any response, so an inline handler runs when its event fires. The README is rendered when an Administrator opens a package in Settings → Marketplace, after the one-time marketplace trust consent. Install is not required. Result: a third-party Bazaar package author runs JavaScript in the Administrator's authenticated SiYuan origin when the Administrator views and interacts with the package listing, and gains full control of the workspace. This vulnerability is fixed in 3.7.0. |
| Contributor Cross Site Scripting (XSS) in Fluent Booking <= 2.1.0 versions. |
