Luigigubello

**Name of the Vulnerable Software and Affected Versions** lambdaisland/uri versions prior to 1.14.120 **Description** The issue allows an attacker to send malicious URLs to be parsed by the lambdaisland/uri library, returning the wrong authority. This occurs because the `authority-regex` does not handle the backslash (``) character in the username correctly, leading to incorrect output. For example, a payload of `https://example.com@google.com` would return `google.com` as the host, when the correct host should be `example.com`. This may be abused to bypass host restrictions depending on how the library is used in an application. **Recommendations** For versions prior to 1.14.120, users are advised to upgrade to version 1.14.120 or later to resolve the issue. At the moment, there is no information about other workarounds for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Eclipse Theia versions up to and including 1.8.0 Description: The issue concerns the lack of HTML escaping in the debug console, allowing arbitrary Javascript code to be injected. Recommendations: For Eclipse Theia versions up to and including 1.8.0, consider disabling the debug console feature until a patch is available to prevent arbitrary Javascript code injection.

Name of the Vulnerable Software and Affected Versions: Eclipse Theia versions up to and including 0.16.0 Description: The issue concerns the lack of HTML escaping in notification messages, allowing Javascript code to run. Recommendations: For Eclipse Theia versions up to and including 0.16.0, update to a version that includes the fix for this issue to prevent Javascript code execution in notification messages.