| Characters allowed as a class separator | hackvertor | 4/13/2024 | XSS | 0 |
 24 | Characters that can be used in eval to write code in between | m-boll | 5/12/2024 | JS | 0 |
| Bypasses for __proto__ string match | vitorfhc | 8/29/2024 | JS | 0 |
| Characters allowed in-between hyphens | hackvertor | 4/14/2024 | XSS | 1 |
 4 | Entities allowed between two forward slashes | InsertScript | 9/19/2024 | XSS | 1 |
| Characters not urlencoded when using the credentials part of the URL | hackvertor | 5/28/2024 | JS | 1 |
2 | JIS X 0208 bytes that produce ASCII characters | JorianWoltjer | 9/22/2024 | JS | 1 |
| Characters unencoded characters supported in the hash | hackvertor | 9/24/2024 | JS | 1 |
| All events on window | hackvertor | 5/31/2024 | JS | 1 |
1 | Includes Validation Chars Allowed | Simpsonpt | 10/8/2024 | JS | 1 |
| Entities in-between square brackets that close cdata | hackvertor | 10/8/2024 | XSS | 1 |
| Differences between escape vs encodeURIComponent | hackvertor | 10/15/2024 | JS | 1 |
| Characters allowed at IPv6 but don't change the hostname | d0ge | 6/10/2024 | JS | 1 |
2 2 | HTML tags that can clobber the credentials part of the URL | 0x999-x | 11/4/2024 | XSS | 1 |
20 19 | HTML tags and attributes that can be used to access the URL | 0x999-x | 11/4/2024 | XSS | 1 |
| Characters allowed at hostname | d0ge | 6/11/2024 | JS | 1 |
9 | XSS vectors that consume tag | Y4tacker | 11/5/2024 | XSS | 1 |
| Characters that close or encapsulate HTML attribute values | ola456 | 11/5/2024 | XSS | 1 |
1  1 | Characters between < and element name | ThomasOrlita | 4/15/2024 | HTML | 1 |
17 1 | URL scheme separator alternatives | simoneonofri | 11/14/2024 | JS | 1 |
