CWE-116: CWE-116

An improper output sanitization vulnerability in Tanium Appliance could allow attackers to inject malicious content into application outputs. This aff...

Tenda W30E V2 routers with vulnerable firmware lack the X-Content-Type-Options: nosniff header on web management interfaces. This allows attackers to ...

Firefox incorrectly parses URLs in embed tags, rewriting them to youtube.com and bypassing website security checks that restrict embed domains. This a...

A CRLF injection vulnerability in Mitel MiCollab AWV component allows unauthenticated attackers to manipulate URLs to conduct phishing attacks. This a...

This vulnerability allows attackers to inject malicious scripts into BlueSpice wiki pages through the AtMentions extension. When exploited, it enables...

This CVE describes an improper output encoding vulnerability in BlueSpice's Avatars extension that allows cross-site scripting (XSS) attacks. Attacker...

This vulnerability in lxml_html_clean allows attackers to bypass CSS filters by using Unicode escape sequences, potentially enabling cross-site script...

HtmlSanitizer versions before 9.0.892 and 9.1.893-beta fail to sanitize content within template tags when those tags are allowed, potentially enabling...

This vulnerability in pretix allows attackers to inject HTML/Markdown content into emails by using maliciously formatted attendee names. While XSS att...

This vulnerability allows malicious web pages to bypass browser security controls using OBJECT tags when servers don't provide proper content-type hea...

Coolify versions before 4.0.0-beta.380 contain a reflected cross-site scripting (XSS) vulnerability in the tags search functionality. When a search re...

A path encoding vulnerability in GitLab's web interface causes diff rendering failures when viewing file changes. This affects all GitLab CE/EE instan...

A vulnerability in PX Enterprise allows sensitive information to be logged under specific conditions, potentially exposing confidential data. This aff...

SAP BusinessObjects Business Intelligence Platform has a URL parameter injection vulnerability that allows unauthenticated remote attackers to make th...

This CVE describes a cross-site scripting (XSS) vulnerability in BlueSpice's WhoIsOnline extension due to improper output encoding. Attackers can inje...

CVE-2024-9427 is a reflected cross-site scripting (XSS) vulnerability in Koji where unsanitized input allows malicious JavaScript to be executed when ...

This vulnerability in Exim mail servers allows attackers to bypass filename extension filtering by using specially crafted multiline RFC 2231 headers....

A Denial of Service vulnerability exists in ZTE MC889A Pro devices due to insufficient input validation in the SMS interface. Attackers can exploit th...

A vulnerability in python-ldap's escape_dn_chars() function incorrectly escapes null bytes, causing client-side denial of service when constructing DN...

IBM Security Guardium 12.0 contains an improper input escaping vulnerability that allows authenticated privileged users to download arbitrary files fr...

This vulnerability allows attackers to craft malicious Git repository URLs containing ANSI escape sequences that manipulate terminal output during cre...

This vulnerability in Discourse allows attackers to upload HTML or XML files to S3 storage that can execute scripts in the context of the S3/CDN domai...

This vulnerability in Thunderbird allows attackers to exfiltrate decrypted OpenPGP email contents through CSS injection when users load remote content...

This CVE describes an improper output encoding vulnerability in MediaWiki's ApprovedRevs extension where magic word replacement in ParserAfterTidy all...

This vulnerability allows a high-privileged attacker with local access to inject malicious web scripts or HTML into Dell PowerProtect Data Manager Rep...

This CVE-2025-0083 vulnerability allows unauthorized access to content across user profiles on Android devices due to URI double encoding. It enables ...

This vulnerability in Ruby on Rails allows attackers to inject malicious characters into redirect URLs via the redirect_to method. When downstream ser...

This vulnerability allows authenticated GitLab users to inject malicious HTML content into merge request titles, which could render in other users' di...

This vulnerability in Nextcloud Deck allows attackers to spoof file extensions using Right-to-Left Override (RTLO) characters, tricking users into dow...

A persistent cross-site scripting (XSS) vulnerability in DataMosaix Private Cloud allows attackers to inject malicious JavaScript that executes in use...