This page collects WhisperX intelligence signals tagged #web-security. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A routine dependency update for the widely-used DOMPurify library masks a critical security response. The update to version 3.3.2 patches two significant vulnerabilities that could enable mutation cross-site scripting (mXSS) attacks, a stealthy and dangerous form of web exploitation. This is not a minor chore; it's a m...
A critical security vulnerability in DOMPurify, a widely-used HTML sanitization library, has been patched after exposing countless web applications to cross-site scripting (XSS) attacks. The flaw, tracked as CVE-2026-0540, allowed attackers to bypass the library's core security filters by exploiting a specific oversigh...
A critical mutation-XSS (mXSS) vulnerability in the widely-used DOMPurify HTML sanitization library has been patched, forcing a major version update from 2.3.8 to 3.3.2. The flaw, tracked as GHSA-h8r8-wccr-v5f2, allows malicious payloads to bypass sanitization and execute when sanitized HTML is reinserted into a new pa...
一个关键的突变跨站脚本(mXSS)漏洞已被确认存在于广泛使用的 HTML 净化库 DOMPurify 中。当经过净化的 HTML 被重新插入到新的解析上下文(如使用 `innerHTML`)时,如果使用了特定的包装元素,攻击者可能绕过安全防护,执行恶意脚本。这一漏洞直接威胁到依赖 DOMPurify 来防御 XSS 攻击的无数 Web 应用程序的安全基础。 该漏洞的标识为 GHSA-h8r8-wccr-v5f2,由 Cure53 团队维护的 DOMPurify 项目在其安全公告中披露。受影响的包装元素包括 `script`、`xmp`、`iframe`、`noembed`、`noframes` 和 `noscript`。关键在于,...
A critical mutation-based cross-site scripting (mXSS) vulnerability in the widely-used DOMPurify library has prompted an urgent security update to version 3.3.2. The flaw, tracked as GHSA-h8r8-wccr-v5f2, was confirmed when sanitized HTML could be mutated by a browser's parser into a malicious form, potentially bypassin...
A critical mutation-XSS (mXSS) vulnerability has been confirmed in the widely-used DOMPurify HTML sanitization library, tracked as GHSA-h8r8-wccr-v5f2. This security flaw allows malicious payloads to bypass sanitization and execute when sanitized HTML is reinserted into a new parsing context using `innerHTML`. The vuln...
A scheduled security scan has flagged a critical vulnerability in the codebase. The CodeQL analysis tool identified a potential type confusion issue in the file `routes/search.ts` at line 22, assigning it a maximum severity CVSS score of 9.8. The core of the warning is that a specific HTTP request parameter may be inte...
A moderate-severity security vulnerability in the widely used `esbuild` bundler has been flagged by GitHub's Dependabot, exposing development servers to potential source code exfiltration. The flaw, tracked as GHSA-67mh-4wv8-2f99, stems from esbuild's development server incorrectly setting a permissive `Access-Control-...
A critical security vulnerability in Vite's development server has been disclosed, allowing unauthorized file system access. The flaw, tracked as GHSA-p9ff-h696-f583, bypasses the `server.fs` strict file access controls within the WebSocket-exposed `fetchModule` method. This creates a direct path for potential data exf...
A critical mutation-XSS (mXSS) vulnerability has been confirmed in DOMPurify versions prior to 3.3.2. The flaw allows seemingly sanitized HTML to transform into executable JavaScript when reinserted into a new parsing context, specifically within special wrapper elements. This bypasses the library's core security funct...
A critical bypass in the DOMPurify sanitization library allows malicious JavaScript to slip through security checks, posing a direct threat to web applications relying on it for user input sanitization. The vulnerability, tracked as GHSA-cjmm-f4jc-qw8r, stems from a flaw in how the library handles custom attribute vali...
A critical cross-site scripting (XSS) vulnerability in the widely-used DOMPurify HTML sanitization library has been patched, forcing a mandatory update for thousands of dependent applications. The flaw, tracked as CVE-2026-0540, allowed attackers to bypass the library's core security filters by exploiting a specific ov...
A Semgrep security scan has flagged a critical Cross-Site Scripting (XSS) vulnerability in a PHP codebase. The automated rule `xss-and-debug` detected that user-controlled data is being directly embedded into HTML output without proper sanitization, creating a direct path for a potential attack. The specific line of co...
A scheduled security scan has flagged a critical vulnerability in the OWASP Juice Shop project, with a CVSS score of 9.3 indicating a high-severity risk. The automated CodeQL analysis identified a Template Object Injection flaw within the `routes/dataErasure.ts` file, specifically on line 72. This type of vulnerability...
Apache Tomcat 核心组件中发现一个安全漏洞,允许攻击者在特定配置下绕过关键的 URL 重写规则。该漏洞被追踪为 CVE-2025-31651 (GHSA-ff77-26x5-69cr),其根源在于对转义、元或控制序列的处理不当。如果这些被绕过的重写规则恰好用于强制执行安全约束,那么这些安全限制就可能失效,为潜在的攻击路径打开缺口。 该漏洞影响范围广泛,波及 Apache Tomcat 的多个主要版本。具体包括:从 11.0.0-M1 到 11.0.5 的所有版本,从 10.1.0-M1 到 10.1.39 的所有版本,以及从 9.0.0.M1 到 9.0.102 的所有版本。值得注意的是,在 CVE 创建时已结束生命周...
A critical security flaw in the popular `serve-handler` dependency allows attackers to inject and execute malicious JavaScript in victims' browsers. The vulnerability, rated a high 7.9 out of 10, stems from unsanitized user input from the request URL flowing directly into HTML responses. This creates a classic reflecte...
A critical security flaw in the widely-used Flask-Cors library allows attackers to inject fake entries into application log files, potentially covering their tracks and undermining forensic investigations. The vulnerability, tracked as CVE-2024-1681, exists when the library's log level is set to debug. An attacker can ...
A critical security flaw in the widely-used Jinja2 templating engine has been patched, exposing countless Python web applications to potential cross-site scripting (XSS) attacks. The vulnerability, tracked as CVE-2024-22195, resides in the `xmlattr` filter, which failed to properly validate user input. This filter, des...
A critical security update has been issued for the popular Hono web framework, patching a vulnerability in its core authentication components. The `basicAuth` and `bearerAuth` middlewares were found to be using a standard string equality check (`===`) instead of a fully timing-safe comparison when validating hash value...
A critical logic flaw in the widely-used DOMPurify HTML sanitization library has been disclosed, allowing specially crafted tags to bypass security restrictions. The vulnerability, tracked as GHSA-39q2-94rc-95cp, stems from a short-circuit evaluation error in the library's core purification logic. This defect could ena...