Augustocesarperin

**Name of the Vulnerable Software and Affected Versions** Promptcraft Forge Studio (affected versions not specified) **Description** Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. The software’s input sanitization process, which utilizes regex blacklists like `replace(/javascript:/gi, '')`, is insufficient to prevent the injection of executable payloads into `href` or `src` attributes, or direct injection into the DOM. This is due to the use of multi-character tokens and the application of replacements only once, which can lead to the creation of new dangerous tokens through overlap after a single replacement. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Promptcraft Forge Studio (affected versions not specified) **Description** Promptcraft Forge Studio, a toolkit for evaluating, optimizing, and maintaining LLM-powered applications, contains an incomplete URL scheme check that does not prevent cross-site scripting (XSS). User-controlled URLs are processed through `src/utils/validation.ts`, but the validation only removes `javascript:` and a limited set of patterns. `data:` URLs, such as `data:image/svg+xml,…`, are not blocked. If a sanitized value is used in `href` or `src` attributes, an attacker can execute a script. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.