Summary
symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses
References
Related vulnerabilities
All Supply chain →- HIGHGHSA-X975-RGX4-5FH4
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
- LOWGHSA-H5JC-78HR-3PC9
Sveltia CMS: Stored XSS in Markdown/RichText preview via unsandboxed same-origin iframe
- HIGHGHSA-5C7P-G73Q-RPG5
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled
- MEDIUMGHSA-WWF9-7JRC-RV4Q
Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure
- MEDIUMGHSA-GX93-M64W-5M6H
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering
- HIGHGHSA-G5QX-H5F3-MP2F
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover