Ixsly

**Name of the Vulnerable Software and Affected Versions** CryptPad versions prior to 2026.2.0 **Description** The HTML sanitizer in Diffmarked.js contains a flaw where it fails to properly filter attributes on restricted tags. While the sanitizer validates the `src` attribute for `<iframe>`, `<video>`, and `<audio>` elements, it does not check other attributes. This allows an attacker to inject arbitrary HTML using the `srcdoc` attribute, bypassing the intended bounce sandboxing and enabling link injection or other interactive content within user-controlled documents. The issue occurs because `<iframe>` is classified as a restricted tag rather than a forbidden one, and the enforcement mechanism only inspects the `src` attribute. **Recommendations** Update to version 2026.2.0.

Name of the Vulnerable Software and Affected Versions lichess.org (affected versions not specified) Description lichess.org, a free and open-source chess server, had a server-side HTML injection sink in the /streamer endpoint and the homepage “Live streams” widget. Approved streamers could inject arbitrary HTML by including markup in their Twitch or YouTube stream title. While a Content Security Policy (CSP) was in place to block inline script execution, the issue remained exploitable. To trigger this, a Lichess account needed to meet streamer requirements: being older than 2 days with at least 15 games played, or being a verified/titled account, and receiving moderator approval. Once live, Lichess would render the platform title directly into the user interface. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kimai versions prior to 2.1.0 **Description** Kimai, a web-based multi-user time-tracking application, is vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. This allows an attacker to execute arbitrary code on the server. The issue is triggered when the software attempts to render invoices. **Recommendations** For versions prior to 2.1.0, update to version 2.1.0 or later, which enables security measures for custom Twig templates, mitigating the vulnerability. As a temporary workaround, consider disabling the rendering of custom Twig templates until a patch is available. Restrict access to the invoice rendering functionality to minimize the risk of exploitation. Avoid using the vulnerable PDF and HTML rendering functionalities until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ghost versions prior to 5.59.1 **Description** The issue allows authenticated users to upload files that are symlinks, which can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation by looking for unknown symlinks within Ghost's `content/` folder. **Recommendations** For versions prior to 5.59.1, upgrade to version 5.59.1 to resolve the issue. As a temporary workaround, consider monitoring the `content/` folder for unknown symlinks and restricting file upload capabilities to trusted users until the upgrade can be applied.

**Name of the Vulnerable Software and Affected Versions** OpenRefine versions 3.5.2 and earlier **Description** The issue allows unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure due to a Server-Side Request Forgery (SSRF) vulnerability. **Recommendations** For OpenRefine versions 3.5.2 and earlier, update to a version later than 3.5.2 to resolve the issue. As a temporary workaround, consider restricting access to internal resources to minimize the risk of exploitation.