 280 | Url parsing diff b/w anchor.href and new URL | Sudistark | 5/26/2025 | JS | 0 |
| Scheme slash alternatives in URL() when a base is used | N25sec | 5/22/2025 | JS | 0 |
| Characters that end unencapsulated HTML attribute values | ola456 | 5/14/2025 | XSS | 0 |
| Unicode characters with a decomposition of 2+ ASCII characters and are registerable domains | 0x999-x | 5/7/2025 | XSS | 1 |
| Characters allowed in the protocol that still resolve host name | hackvertor | 5/6/2025 | JS | 0 |
 1 | Chars that can be used as opening bracket in innerHTML | nollium | 4/19/2025 | JS | 0 |
33 | Fuzzing for Max sanitized input (simplified) | vitorfhc | 4/7/2025 | XSS | 0 |
1  1 | CSS inline property definition | hipotermia | 3/12/2025 | HTML | 0 |
| Characters that starts element name | lUcgryy | 3/10/2025 | HTML | 0 |
1 1 | Escape inline double quote | lUcgryy | 3/7/2025 | XSS | 0 |
 4 4 | Characters allowed before the JavaScript protocol colon | RemakingEden | 3/3/2025 | XSS | 0 |
5 | Chars allowed between src and = in img tag | rootd4ddy | 3/2/2025 | XSS | 0 |
30 | Characters Allowed Between Protocol // and localhost Where Host Still Equals localhost | rootd4ddy | 3/2/2025 | JS | 0 |
| Url parsing diff b/w window.open and new URL | Sudistark | 2/21/2025 | JS | 0 |
| Characters ending XML Processing Instructions (WIP) | ola456 | 2/4/2025 | XSS | 0 |
| Tags that DO NOT support HTML comments | hackvertor | 1/26/2025 | XSS | 0 |
106 106 | Tags that support HTML comments | hackvertor | 1/26/2025 | XSS | 0 |
| Tags that get moved out of parent | hackvertor | 1/22/2025 | XSS | 0 |
3 | Characters that can be inside the javascript protocol | hipotermia | 1/22/2025 | XSS | 0 |
| Tags that get reordered in the DOM | hackvertor | 1/21/2025 | XSS | 0 |
