Syntax: kev:true severity:critical epss:>0.95 vendor:cisco patch:false
Filters
Severity
Exploitation
Data Source
Data Quality
Vendor
CWE — Weakness Type
Clear all
Top 20 matches Showing top matches — use filters or a more specific query to narrow
ChatBar.tsx in Lumos before 1.0.17 parses raw HTML in Markdown because the markdown-to-jsx package is used without disableParsingRawHTML set to true.
Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input sanitization. An attacker can execute arbitrary code by inj
NextChat contains a cross-site scripting (XSS) vulnerability in the HTMLPreview component of artifacts.tsx that allows attackers to execute arbitrary JavaScript code when HTML content is rendered in t
Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings.
CVE-2026-44451
CRITICAL CVSS 9.3
Find Similar
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals
CVE-2025-24981
CRITICAL CVSS 9.3
Find Similar
MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsa
CVE-2026-43900
CRITICAL CVSS 9.3
Find Similar
DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepancy
A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat convers
Inconsistent tag parsing allows for XSS in Froala WYSIWYG editor 4.3.0 and earlier.<!----></div> <div class="card-meta-row svelte-btihk4"><div class="card-vendors-inline svelte-btihk4"><!--[--><!--]--></div> <div class="footer-meta svelte-btihk4"><span class="source-tag svelte-btihk4"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="20 6 9 17 4 12"></polyline></svg> NVD</span> <span class="rrf-score svelte-btihk4">RRF 0.014</span></div></div></article><article class="result-card svelte-btihk4"><div class="card-header svelte-btihk4"><a class="cve-id svelte-btihk4" href="/cve/CVE-2026-25802">CVE-2026-25802</a> <div class="card-badges svelte-btihk4"><span class="badge svelte-eex7hx" data-variant="severity-medium"><!---->MEDIUM<!----></span><!----> <!--[0--><span class="cvss-chip svelte-btihk4">CVSS 5.4</span><!--]--> <!--[-1--><!--]--></div> <a class="btn-similar svelte-btihk4" href="/search?similarTo=CVE-2026-25802">Find Similar <svg xmlns="http://www.w3.org/2000/svg" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><line x1="5" y1="12" x2="19" y2="12"></line><polyline points="12 5 19 12 12 19"></polyline></svg></a></div> <div class="card-desc svelte-btihk4"><!---->New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRend<!----></div> <div class="card-meta-row svelte-btihk4"><div class="card-vendors-inline svelte-btihk4"><!--[--><a class="vendor-chip svelte-btihk4" href="/affected-products?vendor=newapi">newapi</a><!--]--></div> <div class="footer-meta svelte-btihk4"><span class="source-tag svelte-btihk4"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="20 6 9 17 4 12"></polyline></svg> NVD</span> <span class="rrf-score svelte-btihk4">RRF 0.014</span></div></div></article><article class="result-card svelte-btihk4"><div class="card-header svelte-btihk4"><a class="cve-id svelte-btihk4" href="/cve/CVE-2025-51403">CVE-2025-51403</a> <div class="card-badges svelte-btihk4"><span class="badge svelte-eex7hx" data-variant="severity-medium"><!---->MEDIUM<!----></span><!----> <!--[0--><span class="cvss-chip svelte-btihk4">CVSS 6.5</span><!--]--> <!--[-1--><!--]--></div> <a class="btn-similar svelte-btihk4" href="/search?similarTo=CVE-2025-51403">Find Similar <svg xmlns="http://www.w3.org/2000/svg" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><line x1="5" y1="12" x2="19" y2="12"></line><polyline points="12 5 19 12 12 19"></polyline></svg></a></div> <div class="card-desc svelte-btihk4"><!---->A stored cross-site scripting (XSS) vulnerability in the department assignment editing module of of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a cra<!----></div> <div class="card-meta-row svelte-btihk4"><div class="card-vendors-inline svelte-btihk4"><!--[--><a class="vendor-chip svelte-btihk4" href="/affected-products?vendor=livehelperchat">livehelperchat</a><!--]--></div> <div class="footer-meta svelte-btihk4"><span class="source-tag svelte-btihk4"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="20 6 9 17 4 12"></polyline></svg> NVD</span> <span class="rrf-score svelte-btihk4">RRF 0.014</span></div></div></article><article class="result-card svelte-btihk4"><div class="card-header svelte-btihk4"><a class="cve-id svelte-btihk4" href="/cve/CVE-2026-50733">CVE-2026-50733</a> <div class="card-badges svelte-btihk4"><span class="badge svelte-eex7hx" data-variant="severity-high"><!---->HIGH<!----></span><!----> <!--[0--><span class="cvss-chip svelte-btihk4">CVSS 8.6</span><!--]--> <!--[-1--><!--]--></div> <a class="btn-similar svelte-btihk4" href="/search?similarTo=CVE-2026-50733">Find Similar <svg xmlns="http://www.w3.org/2000/svg" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><line x1="5" y1="12" x2="19" y2="12"></line><polyline points="12 5 19 12 12 19"></polyline></svg></a></div> <div class="card-desc svelte-btihk4"><!---->Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the<!----></div> <div class="card-meta-row svelte-btihk4"><div class="card-vendors-inline svelte-btihk4"><!--[--><!--]--></div> <div class="footer-meta svelte-btihk4"><span class="source-tag svelte-btihk4"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="20 6 9 17 4 12"></polyline></svg> NVD</span> <span class="rrf-score svelte-btihk4">RRF 0.014</span></div></div></article><article class="result-card svelte-btihk4"><div class="card-header svelte-btihk4"><a class="cve-id svelte-btihk4" href="/cve/CVE-2025-66481">CVE-2025-66481</a> <div class="card-badges svelte-btihk4"><span class="badge svelte-eex7hx" data-variant="severity-critical"><!---->CRITICAL<!----></span><!----> <!--[0--><span class="cvss-chip svelte-btihk4">CVSS 9.6</span><!--]--> <!--[-1--><!--]--></div> <a class="btn-similar svelte-btihk4" href="/search?similarTo=CVE-2025-66481">Find Similar <svg xmlns="http://www.w3.org/2000/svg" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><line x1="5" y1="12" x2="19" y2="12"></line><polyline points="12 5 19 12 12 19"></polyline></svg></a></div> <div class="card-desc svelte-btihk4"><!---->DeepChat is an open-source AI chat platform that supports cloud models and LLMs. Versions 0.5.1 and below are vulnerable to XSS attacks through improperly sanitized Mermaid content. The recent securit<!----></div> <div class="card-meta-row svelte-btihk4"><div class="card-vendors-inline svelte-btihk4"><!--[--><a class="vendor-chip svelte-btihk4" href="/affected-products?vendor=thinkinai">thinkinai</a><!--]--></div> <div class="footer-meta svelte-btihk4"><span class="source-tag svelte-btihk4"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="20 6 9 17 4 12"></polyline></svg> NVD</span> <span class="rrf-score svelte-btihk4">RRF 0.014</span></div></div></article><article class="result-card svelte-btihk4"><div class="card-header svelte-btihk4"><a class="cve-id svelte-btihk4" href="/cve/CVE-2025-57483">CVE-2025-57483</a> <div class="card-badges svelte-btihk4"><span class="badge svelte-eex7hx" data-variant="severity-high"><!---->HIGH<!----></span><!----> <!--[0--><span class="cvss-chip svelte-btihk4">CVSS 8.1</span><!--]--> <!--[-1--><!--]--></div> <a class="btn-similar svelte-btihk4" href="/search?similarTo=CVE-2025-57483">Find Similar <svg xmlns="http://www.w3.org/2000/svg" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><line x1="5" y1="12" x2="19" y2="12"></line><polyline points="12 5 19 12 12 19"></polyline></svg></a></div> <div class="card-desc svelte-btihk4"><!---->A reflected cross-site scripting (XSS) vulnerability in tawk.to chatbox widget v4 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload <!----></div> <div class="card-meta-row svelte-btihk4"><div class="card-vendors-inline svelte-btihk4"><!--[--><!--]--></div> <div class="footer-meta svelte-btihk4"><span class="source-tag svelte-btihk4"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="20 6 9 17 4 12"></polyline></svg> NVD</span> <span class="rrf-score svelte-btihk4">RRF 0.013</span></div></div></article><article class="result-card svelte-btihk4"><div class="card-header svelte-btihk4"><a class="cve-id svelte-btihk4" href="/cve/CVE-2026-32626">CVE-2026-32626</a> <div class="card-badges svelte-btihk4"><span class="badge svelte-eex7hx" data-variant="severity-critical"><!---->CRITICAL<!----></span><!----> <!--[0--><span class="cvss-chip svelte-btihk4">CVSS 9.6</span><!--]--> <!--[-1--><!--]--></div> <a class="btn-similar svelte-btihk4" href="/search?similarTo=CVE-2026-32626">Find Similar <svg xmlns="http://www.w3.org/2000/svg" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><line x1="5" y1="12" x2="19" y2="12"></line><polyline points="12 5 19 12 12 19"></polyline></svg></a></div> <div class="card-desc svelte-btihk4"><!---->AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vu<!----></div> <div class="card-meta-row svelte-btihk4"><div class="card-vendors-inline svelte-btihk4"><!--[--><a class="vendor-chip svelte-btihk4" href="/affected-products?vendor=mintplexlabs">mintplexlabs</a><!--]--></div> <div class="footer-meta svelte-btihk4"><span class="source-tag svelte-btihk4"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="20 6 9 17 4 12"></polyline></svg> NVD</span> <span class="rrf-score svelte-btihk4">RRF 0.013</span></div></div></article><article class="result-card svelte-btihk4"><div class="card-header svelte-btihk4"><a class="cve-id svelte-btihk4" href="/cve/CVE-2025-54384">CVE-2025-54384</a> <div class="card-badges svelte-btihk4"><span class="badge svelte-eex7hx" data-variant="severity-medium"><!---->MEDIUM<!----></span><!----> <!--[0--><span class="cvss-chip svelte-btihk4">CVSS 6.3</span><!--]--> <!--[-1--><!--]--></div> <a class="btn-similar svelte-btihk4" href="/search?similarTo=CVE-2025-54384">Find Similar <svg xmlns="http://www.w3.org/2000/svg" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><line x1="5" y1="12" x2="19" y2="12"></line><polyline points="12 5 19 12 12 19"></polyline></svg></a></div> <div class="card-desc svelte-btihk4"><!---->CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract() function did not perform sufficient sanitization<!----></div> <div class="card-meta-row svelte-btihk4"><div class="card-vendors-inline svelte-btihk4"><!--[--><!--]--></div> <div class="footer-meta svelte-btihk4"><span class="source-tag svelte-btihk4"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="20 6 9 17 4 12"></polyline></svg> NVD</span> <span class="rrf-score svelte-btihk4">RRF 0.013</span></div></div></article><article class="result-card svelte-btihk4"><div class="card-header svelte-btihk4"><a class="cve-id svelte-btihk4" href="/cve/CVE-2025-31093">CVE-2025-31093</a> <div class="card-badges svelte-btihk4"><span class="badge svelte-eex7hx" data-variant="severity-medium"><!---->MEDIUM<!----></span><!----> <!--[0--><span class="cvss-chip svelte-btihk4">CVSS 6.5</span><!--]--> <!--[-1--><!--]--></div> <a class="btn-similar svelte-btihk4" href="/search?similarTo=CVE-2025-31093">Find Similar <svg xmlns="http://www.w3.org/2000/svg" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><line x1="5" y1="12" x2="19" y2="12"></line><polyline points="12 5 19 12 12 19"></polyline></svg></a></div> <div class="card-desc svelte-btihk4"><!---->Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redpixelstudios RPS Include Content rps-include-content allows DOM-Based XSS.This issue affects RP<!----></div> <div class="card-meta-row svelte-btihk4"><div class="card-vendors-inline svelte-btihk4"><!--[--><!--]--></div> <div class="footer-meta svelte-btihk4"><span class="source-tag svelte-btihk4"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="20 6 9 17 4 12"></polyline></svg> NVD</span> <span class="rrf-score svelte-btihk4">RRF 0.013</span></div></div></article><article class="result-card svelte-btihk4"><div class="card-header svelte-btihk4"><a class="cve-id svelte-btihk4" href="/cve/CVE-2026-40890">CVE-2026-40890</a> <div class="card-badges svelte-btihk4"><span class="badge svelte-eex7hx" data-variant="severity-high"><!---->HIGH<!----></span><!----> <!--[0--><span class="cvss-chip svelte-btihk4">CVSS 7.5</span><!--]--> <!--[-1--><!--]--></div> <a class="btn-similar svelte-btihk4" href="/search?similarTo=CVE-2026-40890">Find Similar <svg xmlns="http://www.w3.org/2000/svg" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><line x1="5" y1="12" x2="19" y2="12"></line><polyline points="12 5 19 12 12 19"></polyline></svg></a></div> <div class="card-desc svelte-btihk4"><!---->The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > characte<!----></div> <div class="card-meta-row svelte-btihk4"><div class="card-vendors-inline svelte-btihk4"><!--[--><a class="vendor-chip svelte-btihk4" href="/affected-products?vendor=gomarkdown">gomarkdown</a><!--]--></div> <div class="footer-meta svelte-btihk4"><span class="source-tag svelte-btihk4"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="20 6 9 17 4 12"></polyline></svg> NVD</span> <span class="rrf-score svelte-btihk4">RRF 0.013</span></div></div></article><article class="result-card svelte-btihk4"><div class="card-header svelte-btihk4"><a class="cve-id svelte-btihk4" href="/cve/CVE-2025-51400">CVE-2025-51400</a> <div class="card-badges svelte-btihk4"><span class="badge svelte-eex7hx" data-variant="severity-medium"><!---->MEDIUM<!----></span><!----> <!--[0--><span class="cvss-chip svelte-btihk4">CVSS 5.4</span><!--]--> <!--[-1--><!--]--></div> <a class="btn-similar svelte-btihk4" href="/search?similarTo=CVE-2025-51400">Find Similar <svg xmlns="http://www.w3.org/2000/svg" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><line x1="5" y1="12" x2="19" y2="12"></line><polyline points="12 5 19 12 12 19"></polyline></svg></a></div> <div class="card-desc svelte-btihk4"><!---->A stored cross-site scripting (XSS) vulnerability in the Personal Canned Messages of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.<!----></div> <div class="card-meta-row svelte-btihk4"><div class="card-vendors-inline svelte-btihk4"><!--[--><a class="vendor-chip svelte-btihk4" href="/affected-products?vendor=livehelperchat">livehelperchat</a><!--]--></div> <div class="footer-meta svelte-btihk4"><span class="source-tag svelte-btihk4"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="20 6 9 17 4 12"></polyline></svg> NVD</span> <span class="rrf-score svelte-btihk4">RRF 0.013</span></div></div></article><!--]--></div> <!--[0--><div class="pagination-row svelte-btihk4"><!--[-1--><!--]--> <span class="page-info">Page 1+</span> <!--[0--><a class="btn-page btn-page-next svelte-btihk4" href="/search?similarTo=CVE-2024-56082&amp;offset=20">Next →</a><!--]--></div><!--]--><!--]--></div><!----><!--]--><!----></main></div></div> <div class="toast-region svelte-1fk2ial" aria-live="polite" aria-atomic="false"><!--[--><!--]--></div><!----><!--]--><!--]--> <!--[-1--><!--]--><!--]--> <script> { __sveltekit_e72tfh = { base: new URL(".", location).pathname.slice(0, -1) }; const element = document.currentScript.parentElement; Promise.all([ import("./_app/immutable/entry/start.BnaBWhgS.js"), import("./_app/immutable/entry/app.Vz6P_sPi.js") ]).then(([kit, app]) => { kit.start(app, element, { node_ids: [0, 12], data: [null,{type:"data",data:{formState:{query:"",severity:[],vendor:[],cwe:[],kev:false,minCvss:"",publishedSince:"",similarTo:"CVE-2024-56082",offset:0},results:{results:[{cveId:"CVE-2024-56082",score:.01639344262295082,severity:"LOW",cvssBase:3.5,kevListed:false,epssPercentile:.32492,publishedAt:"2024-12-15T05:15:05.803Z",vendors:[],snippet:"ChatBar.tsx in Lumos before 1.0.17 parses raw HTML in Markdown because the markdown-to-jsx package is used without disableParsingRawHTML set to true."},{cveId:"CVE-2024-21535",score:.016129032258064516,severity:"MEDIUM",cvssBase:6.1,kevListed:false,epssPercentile:.39197,publishedAt:"2024-10-15T05:15:11.530Z",vendors:["quantizor"],snippet:"Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input sanitization. An attacker can execute arbitrary code by inj"},{cveId:"CVE-2025-50733",score:.015873015873015872,severity:"MEDIUM",cvssBase:6.1,kevListed:false,epssPercentile:.08636,publishedAt:"2025-08-22T16:15:43.820Z",vendors:[],snippet:"NextChat contains a cross-site scripting (XSS) vulnerability in the HTMLPreview component of artifacts.tsx that allows attackers to execute arbitrary JavaScript code when HTML content is rendered in t"},{cveId:"CVE-2025-47828",score:.015625,severity:"MEDIUM",cvssBase:6.4,kevListed:false,epssPercentile:.10401,publishedAt:"2025-05-11T03:15:23.533Z",vendors:[],snippet:"Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings."},{cveId:"CVE-2026-44451",score:.015384615384615385,severity:"CRITICAL",cvssBase:9.3,kevListed:false,epssPercentile:.13726,publishedAt:"2026-05-26T21:16:38.303Z",vendors:[],snippet:"Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals"},{cveId:"CVE-2025-24981",score:.015151515151515152,severity:"CRITICAL",cvssBase:9.3,kevListed:false,epssPercentile:.45743,publishedAt:"2025-02-06T18:15:32.847Z",vendors:[],snippet:"MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript "},{cveId:"CVE-2026-41318",score:.014925373134328358,severity:"MEDIUM",cvssBase:5.4,kevListed:false,epssPercentile:.09385,publishedAt:"2026-04-24T04:16:20.193Z",vendors:["mintplexlabs"],snippet:"AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsa"},{cveId:"CVE-2026-43900",score:.014705882352941176,severity:"CRITICAL",cvssBase:9.3,kevListed:false,epssPercentile:.22236,publishedAt:"2026-05-11T23:20:21.557Z",vendors:[],snippet:"DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepancy"},{cveId:"CVE-2026-30048",score:.014492753623188406,severity:"MEDIUM",cvssBase:5.4,kevListed:false,epssPercentile:.15898,publishedAt:"2026-03-18T18:16:27.607Z",vendors:[],snippet:"A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat convers"},{cveId:"CVE-2024-51434",score:.014285714285714285,severity:"MEDIUM",cvssBase:6.1,kevListed:false,epssPercentile:.26357,publishedAt:"2024-11-07T22:15:21.467Z",vendors:[],snippet:"Inconsistent \u003Cplaintext> tag parsing allows for XSS in Froala WYSIWYG editor 4.3.0 and earlier."},{cveId:"CVE-2026-25802",score:.014084507042253521,severity:"MEDIUM",cvssBase:5.4,kevListed:false,epssPercentile:.12649,publishedAt:"2026-02-24T01:16:14.927Z",vendors:["newapi"],snippet:"New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRend"},{cveId:"CVE-2025-51403",score:.013888888888888888,severity:"MEDIUM",cvssBase:6.5,kevListed:false,epssPercentile:.71638,publishedAt:"2025-07-21T19:15:31.510Z",vendors:["livehelperchat"],snippet:"A stored cross-site scripting (XSS) vulnerability in the department assignment editing module of of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a cra"},{cveId:"CVE-2026-50733",score:.0136986301369863,severity:"HIGH",cvssBase:8.6,kevListed:false,epssPercentile:.28134,publishedAt:"2026-06-05T18:17:34.050Z",vendors:[],snippet:"Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the"},{cveId:"CVE-2025-66481",score:.013513513513513514,severity:"CRITICAL",cvssBase:9.6,kevListed:false,epssPercentile:.37938,publishedAt:"2025-12-09T01:16:55.140Z",vendors:["thinkinai"],snippet:"DeepChat is an open-source AI chat platform that supports cloud models and LLMs. Versions 0.5.1 and below are vulnerable to XSS attacks through improperly sanitized Mermaid content. The recent securit"},{cveId:"CVE-2025-57483",score:.013333333333333334,severity:"HIGH",cvssBase:8.1,kevListed:false,epssPercentile:.19171,publishedAt:"2025-09-29T18:15:33.600Z",vendors:[],snippet:"A reflected cross-site scripting (XSS) vulnerability in tawk.to chatbox widget v4 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload "},{cveId:"CVE-2026-32626",score:.013157894736842105,severity:"CRITICAL",cvssBase:9.6,kevListed:false,epssPercentile:.49309,publishedAt:"2026-03-16T14:19:40.033Z",vendors:["mintplexlabs"],snippet:"AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vu"},{cveId:"CVE-2025-54384",score:.012987012987012988,severity:"MEDIUM",cvssBase:6.3,kevListed:false,epssPercentile:.10479,publishedAt:"2025-10-29T16:15:33.893Z",vendors:[],snippet:"CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract() function did not perform sufficient sanitization"},{cveId:"CVE-2025-31093",score:.01282051282051282,severity:"MEDIUM",cvssBase:6.5,kevListed:false,epssPercentile:.07668,publishedAt:"2025-03-28T10:15:17.640Z",vendors:[],snippet:"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redpixelstudios RPS Include Content rps-include-content allows DOM-Based XSS.This issue affects RP"},{cveId:"CVE-2026-40890",score:.012658227848101266,severity:"HIGH",cvssBase:7.5,kevListed:false,epssPercentile:.26447,publishedAt:"2026-04-21T20:17:02.810Z",vendors:["gomarkdown"],snippet:"The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a \u003C character that is not followed by a > characte"},{cveId:"CVE-2025-51400",score:.0125,severity:"MEDIUM",cvssBase:5.4,kevListed:false,epssPercentile:.54319,publishedAt:"2025-07-21T19:15:31.310Z",vendors:["livehelperchat"],snippet:"A stored cross-site scripting (XSS) vulnerability in the Personal Canned Messages of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload."}],truncated:true}},uses:{search_params:["q","similarTo","severity","vendor","cwe","kev","minCvss","publishedSince","offset","product","epss"]}}], form: null, error: null }); }); } </script> </div> </body> </html>