| Characters allowed after a bigint | hackvertor | 7/18/2025 | JS | 0 |
| Characters allowed either side of a variable assignment | hackvertor | 7/18/2025 | JS | 0 |
| Characters allowed after throw statement | hackvertor | 7/14/2025 | JS | 0 |
 82 | encodeURI() not encoded with % | forglockenspielexact | 7/11/2025 | JS | 1 |
| Characters encoded by escape() | JorianWoltjer | 7/4/2025 | JS | 1 |
| Characters encoded by encodeURI() | JorianWoltjer | 7/4/2025 | JS | 1 |
| Characters encoded by encodeURIComponent() | JorianWoltjer | 7/4/2025 | JS | 1 |
| Characters before custom tag | s3np41k1r1t0 | 6/23/2025 | XSS | 0 |
| Injection in src attribute PORT, characters that change hostname | reindaelman | 6/15/2025 | JS | 1 |
15 | Characters appended at the end of PORT within URL, which yield a different HOST | reindaelman | 6/15/2025 | JS | 0 |
| Characters allowed as a tag name using DOM APIs | hackvertor | 6/13/2025 | JS | 0 |
| Characters allowed before host name that are ignored | hackvertor | 6/11/2025 | XSS | 0 |
 280 | Url parsing diff b/w anchor.href and new URL | Sudistark | 5/26/2025 | JS | 0 |
| Scheme slash alternatives in URL() when a base is used | N25sec | 5/22/2025 | JS | 0 |
| Characters that end unencapsulated HTML attribute values | ola456 | 5/14/2025 | XSS | 0 |
| Unicode characters with a decomposition of 2+ ASCII characters and are registerable domains | 0x999-x | 5/7/2025 | XSS | 1 |
| Characters allowed in the protocol that still resolve host name | hackvertor | 5/6/2025 | JS | 0 |
1 | Chars that can be used as opening bracket in innerHTML | nollium | 4/19/2025 | JS | 0 |
33 | Fuzzing for Max sanitized input (simplified) | vitorfhc | 4/7/2025 | XSS | 0 |
1  1 | CSS inline property definition | hipotermia | 3/12/2025 | HTML | 0 |
