This page collects WhisperX intelligence signals tagged #xss. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A security vulnerability report identifies a Cross-Site Scripting (XSS) vulnerability in the RSOLV-dev/nodegoat-vulnerability-demo repository. The vulnerability is classified as HIGH severity and is present in one file. The specific issue is located in `config/env/development.js` at line 11, where the code directly use...
A critical stored cross-site scripting (XSS) vulnerability has been identified in the note-sharing feature, stemming from the unsafe rendering of raw HTML in markdown. The `Preview` component uses the `rehype-raw` plugin to process markdown but crucially lacks the `rehype-sanitize` plugin, allowing malicious HTML to be...
A critical security flaw in a codebase's AI summary feature allows malicious Large Language Model (LLM) outputs to execute arbitrary JavaScript in users' browsers. The vulnerability stems from the direct insertion of streaming LLM responses into the Document Object Model (DOM) using `innerHTML` in the `ai_summary.js` f...
A critical security vulnerability has been identified in a web application's admin panel, where the administrator's JSON Web Token (JWT) is stored insecurely within the browser's `sessionStorage`. This storage mechanism is accessible to any JavaScript executing on the same page, creating a direct pathway for an attacke...
A critical security flaw has been identified in the application's frontend, exposing it to a DOM-based Cross-Site Scripting (XSS) attack. The vulnerability resides in the main application entry point, where unsanitized user-influenced data is directly injected into the DOM using the `innerHTML` property. This creates a...
A high-severity Cross-Site Scripting (XSS) vulnerability has been identified within a single JavaScript file, posing a direct risk of client-side script injection. The flaw is classified under CWE-79 and OWASP A03:2021 - Injection, with an 80% confidence rating. The core issue is a direct, unescaped assignment of user ...
A high-severity Cross-Site Scripting (XSS) vulnerability has been identified within a critical development configuration file. The flaw resides in a `document.write` call that directly incorporates user input without proper sanitization, creating a potential injection point for malicious scripts to execute in users' br...
A critical security flaw has been identified in the codebase, exposing the application to cross-site scripting (XSS) attacks. The vulnerability originates in the `REVIEW_ME.tsx` component, which renders user-controlled ticket descriptions as raw HTML without sanitization. This allows any user with ticket creation privi...
A high-severity security vulnerability has been identified in a website's authentication system, where sensitive JSON Web Tokens (JWT) are stored in the browser's `localStorage`. This implementation flaw creates a direct pathway for Cross-Site Scripting (XSS) attacks, allowing any malicious script injected into the pag...
A high-severity security vulnerability has been identified in a web application's authentication system, where improperly configured JWT tokens lack essential security flags, leaving them exposed to token theft and session hijacking. The flaw resides in the `auth.ts` file, where tokens are set in cookies without the `H...
Googleが開発する主要なフロントエンドフレームワーク、Angularのコンパイラパッケージに、クロスサイトスクリプティング(XSS)の脆弱性が確認された。脆弱性は `@angular/compiler` のバージョン 20.3.17 に存在し、攻撃者が悪意のあるスクリプトを注入する可能性を開く。セキュリティ企業Snykによる評価では、CVSS v4.0のスコアは2.1で「低」深刻度とされているが、CVSS v3.1では4.4の「中」深刻度と評価されており、リスク評価に差異がある。現時点で、この脆弱性を悪用した攻撃は確認されていない。 この問題は、`@angular/[email protected]` を依存関係として使用してい...
Angular 框架的核心库 `@angular/[email protected]` 版本中被发现存在一个跨站脚本 (XSS) 安全漏洞。该漏洞的 CVSS v3.1 评分为 4.4(中危),而 Snyk 的 CVSS v4.0 评分为 2.1(低危)。目前,该漏洞尚未有已知的公开利用方式,但已确认通过特定路径引入,例如在 `[email protected]` 项目中依赖了受影响的版本。 漏洞的根源在于 `@angular/[email protected]` 版本。Angular 团队已在后续版本中修复了此问题,具体包括 `@angular/[email protected]`、`@20.3.18`、`@21.2.3` 和 `@22.0.0-next.2`...
A high-severity security vulnerability was identified and patched within the `packages/stage-pages` module, where the use of the `v-html` directive to inject `providerDefinition` content created an unnecessary cross-site scripting (XSS) vector. The content, sourced from i18n configurations, was plain text, but the `v-h...
A critical security flaw in a cloud function's email invitation system allows attackers to inject and execute arbitrary HTML and JavaScript in recipients' email clients. The vulnerability stems from the direct interpolation of user-controlled variables—`inviterName`, `groupName`, and `toEmail`—into an HTML email templa...
A critical cross-site scripting (XSS) vulnerability has been identified in a React component, where user-controlled data is directly injected into the DOM via `innerHTML`. The flaw, located in `SitterClusterMap.tsx` between lines 97 and 118, constructs popup content by interpolating unsanitized fields like `sitter.name...
A significant security design flaw has been identified in the authentication system, where critical access and refresh tokens are being unnecessarily exposed in plain JSON responses. The registration and login endpoints (`src/api/routes/auth.py:103,155`) return these tokens in the response body via a `TokenResponse` mo...
A critical security vulnerability in the Angular framework's compiler component has been disclosed, prompting an urgent dependency update. The flaw, tracked as CVE-2026-22610 (GHSA-jrmj-c5cx-3cw6), involves a cross-site scripting (XSS) risk stemming from unsanitized SVG script attributes. This vulnerability could allow...
A critical security flaw, designated CVE-2017-1000188, has been identified in the legacy `ejs-0.8.8.tgz` library, exposing dependent applications to cross-site scripting (XSS) and potential code injection attacks. The vulnerability, rated with a medium severity score of 6.1, resides specifically within the `ejs.renderF...
A critical security flaw in the popular open-source home automation platform Home Assistant allows authenticated users to inject malicious scripts into the system. The vulnerability, tracked as CVE-2026-33044, enables cross-site scripting (XSS) attacks through a seemingly innocuous feature: the ability to name a device...
A critical cross-site scripting (XSS) vulnerability has been identified in the platform's dashboard, exposing users to potential session hijacking and data theft. The flaw resides in multiple inline `onclick` handlers that fail to properly escape single quotes, allowing attackers to inject and execute arbitrary JavaScr...