๐จ CVE-2026-47378
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
GitHub
Hidden Column Exposure in Public Shared View Endpoints
### Summary
Public shared-view endpoints exposed values from columns that the view owner had
hidden, via three independent paths: groupBy returned raw values for any column
named in the request,...
Public shared-view endpoints exposed values from columns that the view owner had
hidden, via three independent paths: groupBy returned raw values for any column
named in the request,...
๐จ CVE-2026-47379
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Plaintext Password Comparison in Shared Views
### Summary
The shared-view password check fell back to strict-equality (`===`) comparison for
legacy plaintext passwords, leaking the password's length and per-character prefix
through respons...
The shared-view password check fell back to strict-equality (`===`) comparison for
legacy plaintext passwords, leaking the password's length and per-character prefix
through respons...
๐จ CVE-2026-47380
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
GitHub
User Enumeration via Sign-In Timing
### Summary
Sign-in response timing differed between known and unknown email addresses because
the unknown-user branch returned without performing a password hash comparison.
### Details
The unkno...
Sign-in response timing differed between known and unknown email addresses because
the unknown-user branch returned without performing a password hash comparison.
### Details
The unkno...
๐จ CVE-2026-47381
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Cross-Workspace Integration Use in Connection Test
### Summary
A user in one workspace could exercise another workspace's integration through the
`testConnection` endpoint by supplying its ID, because the integration was fetched in
a bypass sco...
A user in one workspace could exercise another workspace's integration through the
`testConnection` endpoint by supplying its ID, because the integration was fetched in
a bypass sco...
๐จ CVE-2026-47382
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Server-Side Request Forgery via Database Connection Host
### Summary
The connection-test endpoint opened a raw TCP socket to the user-supplied database
host without resolving and range-checking the destination, so private and link-local
addresses (includ...
The connection-test endpoint opened a raw TCP socket to the user-supplied database
host without resolving and range-checking the destination, so private and link-local
addresses (includ...
๐จ CVE-2026-47383
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Stored Cross-Site Scripting via Row Comments
### Summary
An authenticated commenter could store HTML in row comments that executed as script
when other users hovered over the comment in the expanded form view.
### Details
The comment wr...
An authenticated commenter could store HTML in row comments that executed as script
when other users hovered over the comment in the expanded form view.
### Details
The comment wr...
๐จ CVE-2026-47384
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
SQL Injection via Column Title in Bulk GroupBy
### Summary
An authenticated user with column-create permission can inject SQL into the bulk groupBy
endpoint by setting a column's title to a SQL fragment.
### Details
The bulk groupBy path i...
An authenticated user with column-create permission can inject SQL into the bulk groupBy
endpoint by setting a column's title to a SQL fragment.
### Details
The bulk groupBy path i...
๐จ CVE-2026-47385
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Path Traversal via SQLite Source Filename
### Summary
An authenticated user with base-create permission can attach a SQLite source pointing at
an arbitrary file on the NocoDB host, including NocoDB's own internal databases.
### Detail...
An authenticated user with base-create permission can attach a SQLite source pointing at
an arbitrary file on the NocoDB host, including NocoDB's own internal databases.
### Detail...
๐จ CVE-2026-47386
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the single-use guarantee that PKCE relies on. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the single-use guarantee that PKCE relies on. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
OAuth Authorization Code Race Condition
### Summary
Two concurrent token-exchange requests using the same OAuth authorization code could
each mint a distinct valid `(access_token, refresh_token)` pair, breaking the
single-use guarantee t...
Two concurrent token-exchange requests using the same OAuth authorization code could
each mint a distinct valid `(access_token, refresh_token)` pair, breaking the
single-use guarantee t...
๐จ CVE-2026-47387
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage["nocodb-gui-v2"]. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage["nocodb-gui-v2"]. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Stored Cross-Site Scripting via Form View Redirect URL
### Summary
The shared form-view submit handler in NocoDB writes the form's `redirect_url` to `window.location.href` after a same-host check that does not validate the URL scheme. A user with ...
The shared form-view submit handler in NocoDB writes the form's `redirect_url` to `window.location.href` after a same-host check that does not validate the URL scheme. A user with ...
๐จ CVE-2026-47388
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Missing Ownership Check in MCP Attachment Read
### Summary
A low-privilege MCP token holder with knowledge of an attachment path could read any
file in shared storage, including attachments belonging to other bases and workspaces,
because the M...
A low-privilege MCP token holder with knowledge of an attachment path could read any
file in shared storage, including attachments belonging to other bases and workspaces,
because the M...
๐จ CVE-2026-53927
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Server-Side Request Forgery via Spreadsheet Fetch URL
### Summary
The spreadsheet-fetch endpoint (`axiosRequestMake`) accepted URLs whose path
contained a permitted extension anywhere in the string, and applied a hand-rolled
regex blocklist that om...
The spreadsheet-fetch endpoint (`axiosRequestMake`) accepted URLs whose path
contained a permitted extension anywhere in the string, and applied a hand-rolled
regex blocklist that om...
๐จ CVE-2026-53928
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens โ it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens โ it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Refresh Tokens Persist Through Password Recovery
### Summary
A stolen refresh token survived a password-forgot flow and could be used to mint fresh
JWTs even after the user reset their password.
### Details
`passwordChange` and `passwordRes...
A stolen refresh token survived a password-forgot flow and could be used to mint fresh
JWTs even after the user reset their password.
### Details
`passwordChange` and `passwordRes...
๐จ CVE-2026-53929
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stored response-header overrides under PascalCase keys (ResponseContentDisposition, ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped the Content-Disposition: attachment header, leaving Express to auto-render .html, .svg, and similar inline. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stored response-header overrides under PascalCase keys (ResponseContentDisposition, ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped the Content-Disposition: attachment header, leaving Express to auto-render .html, .svg, and similar inline. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Stored Cross-Site Scripting via Secure Attachment
### Summary
With `NC_SECURE_ATTACHMENTS=true`, an authenticated uploader could deliver `.html` or
`.svg` attachments that the browser rendered inline from the NocoDB origin instead of
forcing a ...
With `NC_SECURE_ATTACHMENTS=true`, an authenticated uploader could deliver `.html` or
`.svg` attachments that the browser rendered inline from the NocoDB origin instead of
forcing a ...
๐จ CVE-2026-53930
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Server-Side Request Forgery via Base Migration URL
### Summary
The base-migration endpoint accepted a caller-supplied URL that the migration worker
dereferenced without enforcing protocol or destination, allowing scheme abuse
(`file:`, `ftp:`, e...
The base-migration endpoint accepted a caller-supplied URL that the migration worker
dereferenced without enforcing protocol or destination, allowing scheme abuse
(`file:`, `ftp:`, e...
๐จ CVE-2026-53931
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv satisfies the gate even though the
underlying request is for another file. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv satisfies the gate even though the
underlying request is for another file. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Server-Side Request Forgery via Spreadsheet Import Endpoint
### Summary
The spreadsheet-import endpoint `axiosRequestMake` could be used as a generic
HTTP proxy. Before the fix it was reachable unauthenticated, and its
URL-extension allowlist was a regex te...
The spreadsheet-import endpoint `axiosRequestMake` could be used as a generic
HTTP proxy. Before the fix it was reachable unauthenticated, and its
URL-extension allowlist was a regex te...
๐จ CVE-2026-54514
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
๐@cveNotify
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
๐@cveNotify
GitHub
Improve `InetSocketAddress` deserialization (#5951) ยท FasterXML/jackson-databind@1f5a103
General data-binding package for Jackson: works on streaming API (core) implementation(s) - Improve `InetSocketAddress` deserialization (#5951) ยท FasterXML/jackson-databind@1f5a103
๐จ CVE-2026-12163
Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting (XSS) vulnerability in the Asset View UI component. An authenticated user with sufficient privileges to create or modify affected node or database configuration fields could store script content that may be rendered as HTML instead of safely escaped text when the affected Asset View UI content is displayed.
๐@cveNotify
Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting (XSS) vulnerability in the Asset View UI component. An authenticated user with sufficient privileges to create or modify affected node or database configuration fields could store script content that may be rendered as HTML instead of safely escaped text when the affected Asset View UI content is displayed.
๐@cveNotify
๐จ CVE-2026-12164
Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool import command while FIM is running, particularly when the import also creates or changes roles or role-permission relationships.
๐@cveNotify
Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool import command while FIM is running, particularly when the import also creates or changes roles or role-permission relationships.
๐@cveNotify
๐จ CVE-2026-48493
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser โ for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0.
๐@cveNotify
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser โ for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0.
๐@cveNotify
GitHub
Tighten permission changes and UI, fixed #18831 by snipe ยท Pull Request #19024 ยท grokability/snipe-it
This PR handles an issue where we were being a little too permissive for users with API access editing themselves, and also improves the UI a bit to hide permissions the user can't grant or...
๐จ CVE-2026-11614
The Xpro Addons โ 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
๐@cveNotify
The Xpro Addons โ 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
๐@cveNotify