Angular: Template and Attribute Namespace Sanitization Bypass (XSS)
@angular/platform-server: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR
@angular/platform-server: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
vite: `server.fs.deny` bypass on Windows alternate paths
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
@babel/core: Arbitrary File Read via sourceMappingURL Comment
@angular/service-worker: Request Credential & Cache Policy Stripping
@angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
@angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache
@angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)
Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes
Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally sm...
Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Maste...
Fortra'sย Core Privileged Access Manager (BoKS)ย contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration proc...
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's...
Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID: MMSA-2026-...