#xss

## Impact Applications meeting these two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter](https://vega.github.io/vega/usage/interpreter/) is used. 1. Use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega [Editor](https://github.com/vega/editor) to the global `window`, or has any other satisfactory function gadgets in the global scope 2. Allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code) ## Patches - With Vega v6, use `vega-selections@6.1.2` (requires ESM) - With Vega v5, use `vega-selections@5.6.3` (No ESM needed) ## Workarounds - Do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do [here](https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/components/renderer/renderer.tsx#L239) . This is a development-only debugging practice that should n...

Security experts at Zenity Labs warn that Anthropic’s new agentic browser extension, Claude in Chrome, could bypass traditional web security, exposing private data and login tokens to potential hijackers.

Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility. In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist. Vaadin 14 is not affected as Spreadsheet component was not supported. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 7.0.0 - 7.7.49 Vaadin 8.0.0 - 8.29.1 Vaadin 23.1.0 - 23.6.5 Vaadin 24.0.0 - 24.8.13 Vaadin 24.9.0 - 24.9.6 Mitigation Upgrade to 7.7.50 Upgrade to 8.30.0 Upgrade to 23.6.6 Upgrade to 24.8.14 or 24.9.7 Upgrade...

## Security Advisory: Stored XSS Leading to Admin Account Takeover **Affected Versions:** ≤ 5.1.0 **Vulnerability Type:** CWE-79: Stored Cross-Site Scripting --- ## Summary A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the **public archive feature**, where victims simply need to visit a link - no preview click required. --- ## Required Attacker Permissions ``` campaigns:manage - Create/edit campaigns campaigns:get - View campaigns lists:get_all - Access lists templates:get - Access templates ``` **Note:** These are common permissions for content managers who are not full admins. --- ## Attack Vectors ### Vector 1: Raw HTML (Direct ...

### Summary A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. ### Details Bagisto’s CMS editor includes an HTML sanitation mechanism intended to protect against script injection by wrapping raw script content in `<div>` elements. However, this mechanism is applied only to requests submitted through the UI. When the CMS update request is intercepted and modified at the HTTP level, the sanitation layer fails to strip or encode embedded `<script>` tags. Because the back-end trusts the manipulated request, the malicious scri...

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-528q-4pgm-wvg2. This link is maintained to preserve external references. ### Original Description A cross-site scripting (XSS) vulnerability in mccutchen httpbin v2.17.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

### Impact The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads. An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.16 or later. ### Resources The XSS vulnerability was reported by HackerOne researcher [michaelcheers](https://hackerone.com/michaelcheers?type=user).

On December 2, 2025, Hackread.com exclusively reported that the Everest ransomware group claimed to have stolen 1TB of…

A stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session.

### Summary The callback and **jsonp** request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When **YOURLS_PRIVATE** is set to **false** (public API mode), this vulnerability can be exploited by any unauthenticated attacker. In private mode, the XSS payload is still injected into the 403 response body though browser execution is blocked. ### Details Vulnerability exists in the JSONP callback handling chain: ``` yourls-api.php:127-128 if( isset( $_REQUEST['callback'] ) ) $return['callback'] = $_REQUEST['callback']; elseif ( isset( $_REQUEST['jsonp'] ) ) $return['callback'] = $_REQUEST['jsonp']; ``` --- ``` includes/functions-api.php:127-128 $callback = isset( $output['callback'] ) ? $output['callback'] : ''; $result = $callback . '(' . json_encode( $output ) . ')'; ``` ### PoC I. YOURLS instance with YOURLS_PRIVATE set to false in config.php or user authenticated to a private YOURLS...