Remark42
Monthly
Stored/reflected XSS in Remark42 self-hosted comment engine versions 1.6.0 through 1.15.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of a Remark42 origin by abusing a Content-Type inconsistency in the image proxy. The proxy trusts the upstream Content-Type header during the download check but re-sniffs bytes when serving, letting an HTML/JS payload advertised as image/png be re-served as text/html from the victim instance's own origin. No public exploit identified at time of analysis; fixed in 1.16.0.
umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
{URL:" followed by an XSS payload. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Stored/reflected XSS in Remark42 self-hosted comment engine versions 1.6.0 through 1.15.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of a Remark42 origin by abusing a Content-Type inconsistency in the image proxy. The proxy trusts the upstream Content-Type header during the download check but re-sniffs bytes when serving, letting an HTML/JS payload advertised as image/png be re-served as text/html from the victim instance's own origin. No public exploit identified at time of analysis; fixed in 1.16.0.
umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
{URL:" followed by an XSS payload. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.