| Characters allowed between an object and bracket notation | cold-try | 4/15/2024 | JS | 0 |
| Tags that remove the span or are self closing | hackvertor | 7/16/2024 | XSS | 0 |
 7  7 | Characters between element name and > | ThomasOrlita | 4/15/2024 | HTML | 0 |
33 | Fuzzing for Max sanitized input (simplified) | vitorfhc | 4/7/2025 | XSS | 0 |
1 | Characters allowed instead of equal sign | c3l3si4n | 4/28/2024 | XSS | 0 |
| Entities still parsed in uppercase | hackvertor | 7/2/2024 | JS | 0 |
| Characters not urlencoded when using the shema part of the URL | d0ge | 9/24/2024 | JS | 0 |
 4 4 | Characters allowed before the JavaScript protocol colon | RemakingEden | 3/3/2025 | XSS | 0 |
| Characters ignored in an attribute name | hackvertor | 5/28/2024 | XSS | 0 |
| Entities allowed between slashes on a protocol relative URL | hackvertor | 7/6/2024 | JS | 0 |
| Characters that act as array literals | hackvertor | 6/24/2024 | JS | 0 |
| Characters allowed as a tag name using DOM APIs | hackvertor | 6/13/2025 | JS | 0 |
| Characters before custom tag | s3np41k1r1t0 | 6/23/2025 | XSS | 0 |
3 | Characters that can be inside the javascript protocol | hipotermia | 1/22/2025 | XSS | 0 |
| Entities allowed between slashes using XSS type | hackvertor | 1/16/2025 | XSS | 0 |
30 30 | Characters prepended to URL, which yield in the same host property | InsertScript | 1/10/2025 | JS | 0 |
| Characters allowed before event in attribute name using setAttribute | hackvertor | 8/21/2024 | JS | 0 |
1 1 | XSS vectors that execute automatically inside math | hackvertor | 4/17/2024 | XSS | 0 |
| Entities allowed between function call and number | hackvertor | 7/2/2024 | XSS | 0 |
| Characters not urlencoded when using the credentials part of the URL | hackvertor | 5/28/2024 | JS | 1 |
