#xss

Element Plus Link component (el-link) prior to 2.11.0 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol validation, URL sanitization, or security headers. This allows attackers to inject malicious URLs using dangerous protocols (javascript:, data:, file:) or redirect users to external malicious sites. While native HTML anchor elements present similar risks, UI component libraries bear additional responsibility for implementing security safeguards and providing clear risk documentation. The vulnerability enables XSS attacks, phishing campaigns, and open redirect exploits affecting applications that use Element Plus Link components with user-controlled or untrusted URL inputs.

A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping.

Cross Site Scripting vulnerability in YesWiki v.4.5.4 allows a remote attacker to execute arbitrary code via a crafted payload to the meta configuration robots field.

An XSS issue was reported in the MCP Inspector local development tool when connecting to an untrusted remote MCP server with a malicious redirect URI. This could be leveraged to interact directly with the inspector proxy to trigger arbitrary command execution. Users are advised to update to 0.16.6 to resolve this issue. Thank you to the following researchers for their reports and contributions: * Raymond (Veria Labs) * Gavin Zhong, [superboyzjc@gmail.com](mailto:superboyzjc@gmail.com) & Shuyang Wang, [swang@obsidiansecurity.com](mailto:swang@obsidiansecurity.com).

### Summary Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. ### Details Fides uses encrypted authentication tokens with extended expiration periods. When a password is changed via password reset endpoints, the system updates the password hash in the database but does not invalidate existing client sessions or tokens. The authentication system validates tokens based on their cryptographic integrity and expiration time, not against the current password state. The frontend application stores authentication state in browser local storage, which persists across browser sessions until explicit logout or natural token expiration. This...

An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary code via uploading a crafted HTML file.

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the

### Summary When using Astro's Cloudflare adapter (`@astrojs/cloudflare`) configured with `output: 'server'` while using the default `imageService: 'compile'`, the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served. ### Details On-demand rendered sites built with Astro include an `/_image` endpoint, which returns optimized versions of images. The `/_image` endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the [`image.domains`](https://docs.astro.build/en/reference/configuration-reference/#imagedomains) or [`image.remotePatterns`](https://docs.astro.build/en/reference/configuration-reference/#imageremotepatterns) options). However, a bug in impacted versions of the `@astrojs/cloudflare` adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the thir...

Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.

Cross-Site Scripting (XSS) has been a known vulnerability class for two decades, yet it continues to surface in modern applications, including those built with the latest frameworks and cloud-native architectures. At Microsoft, we still receive a steady stream of XSS reports across our services, from legacy portals to newly deployed single-page apps.