| Characters in-between square brackets that close cdata | hackvertor | 10/8/2024 | XSS | 0 |
 2.1k | Chars in href that will not default to full URL | joaxcar | 11/16/2024 | XSS | 0 |
1  1 | < removal bypass | Device1306 | 10/9/2024 | HTML | 0 |
33 | Fuzzing for Max sanitized input (simplified) | vitorfhc | 4/7/2025 | XSS | 0 |
| Characters that cause the backslash to be consumed with a big5 charset | hackvertor | 11/1/2024 | XSS | 0 |
5 | Chars allowed between src and = in img tag | rootd4ddy | 3/2/2025 | XSS | 0 |
| Characters ending XML Processing Instructions (WIP) | ola456 | 2/4/2025 | XSS | 0 |
4 4 | Characters allowed before the JavaScript protocol colon | RemakingEden | 3/3/2025 | XSS | 0 |
| Characters ignored in strings when doing a non strict comparison | hackvertor | 6/18/2024 | JS | 0 |
| Find WAF bypass for eval context | elieehel | 11/22/2024 | JS | 0 |
1 | Characters that can be between < and script> | m10x | 11/12/2024 | HTML | 0 |
15 | Characters appended at the end of PORT within URL, which yield a different HOST | reindaelman | 6/15/2025 | JS | 0 |
| Characters allowed either side of a variable assignment | hackvertor | 7/18/2025 | JS | 0 |
| Characters allowed after throw statement | hackvertor | 7/14/2025 | JS | 0 |
| Characters allowed before the JavaScript protocol | hackvertor | 1/16/2025 | XSS | 0 |
| Characters allowed between slashes using XSS type | hackvertor | 1/16/2025 | XSS | 0 |
31 | Characters appended at the end of TLD within URL, which yield in the same host property | InsertScript | 1/10/2025 | JS | 0 |
| Characters allowed as a class separator | hackvertor | 4/13/2024 | XSS | 0 |
24 | Characters that can be used in eval to write code in between | m-boll | 5/12/2024 | JS | 0 |
| Bypasses for __proto__ string match | vitorfhc | 8/29/2024 | JS | 0 |
