Patch-diff analysis of the June 2026 cumulative update (KB5094128)
| CVE | CVE-2026-45595 — Windows Mark of the Web Security Feature Bypass |
| Severity | Important, CVSS 5.4 (not actively exploited at release) |
| Fixed in | KB5094128 — Windows Server 2022 / 21H2, OS build 20348.5256 (released 2026-06-09) |
| Patched binary | windows.storage.dll (11.0/10.0.20348.5256) |
A Cross-Site Scripting (XSS) vulnerability exists due to a flawed regular expression in the sanitizeHtmlWithStylePreservation function. The regex /<style[\s\S]*?<\/style>/gi used to extract and preserve style tags can be bypassed in two ways, allowing arbitrary HTML and JavaScript to evade DOMPurify sanitization entirely. This results in full XSS execution.
The vulnerability exists in search-parts/src/services/templateService/TemplateService.ts (lines 716-745):
public sanitizeHtmlWithStylePreservation(html: string): string {
if (!html) return html;
| // ============================================================================ | |
| // Repeater Action: Pull tokens/values from Proxy History & Apply to THIS item | |
| // ---------------------------------------------------------------------------- | |
| // WHAT IT DOES | |
| // 1) Scans Proxy history (most recent first) for an entry that matches your filters. | |
| // 2) Extracts values (Cookie header, form params, etc.) via regex extractors. | |
| // 3) Applies the extracted values to the CURRENT Repeater request (requestResponse). | |
| // | |
| // HOW TO USE / EDIT (TL;DR) | |
| // - Set filters in CONFIG (host/path/method/status/in-scope/highlight). Blank = ignored. |
| // @irsdl | |
| // === Config: set what you want to match === | |
| final String TARGET_HOST = "oauth.example.io"; // target domain | |
| final String PATH_PREFIX = "/auth/realms/onba/openid-connect/token"; // match exact or any child path | |
| final short STATUS_CODE = 200; // match the status code where the response has access_token | |
| // Build a ProxyHistoryFilter that only matches completed host+path hits | |
| burp.api.montoya.proxy.ProxyHistoryFilter filter = new burp.api.montoya.proxy.ProxyHistoryFilter() { | |
| @Override | |
| public boolean matches(burp.api.montoya.proxy.ProxyHttpRequestResponse rr) { |
| if(requestResponse.hasResponse() && requestResponse.request().url().contains("/irsdl")){ | |
| var respBody = requestResponse.response().bodyToString(); | |
| respBody = respBody.replaceAll("test|foobar", "example"); | |
| return requestResponse.response().withBody(respBody); | |
| }else{ | |
| return requestResponse.response(); | |
| } |
| $ # HowTo set up AWS CLI version 2 to use Burp Suite | |
| $ | |
| $ # Requirements: Burp Suite, curl | |
| $ | |
| $ # 1. Installing AWS CLI version 2, configure and test | |
| $ | |
| $ curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o Downloads/awscliv2.zip | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 33.5M 100 33.5M 0 0 6825k 0 0:00:05 0:00:05 --:--:-- 7290k |
| // by @irsdl | |
| // This script identifies anomalies in how JS parses the URL using `URL(url).hostname`: | |
| // 1- Characters that are ignored when present in the domain name. | |
| // 2- Characters that can replace ASCII characters in domain names and still be parsed correctly. In here we want letter S in `soroush.me` | |
| // You can try running this script in your browser's dev console or at https://www.jdoodle.com/execute-nodejs-online/ | |
| // I am sure this must have been looked at before but I cannot find a reference | |
| for (let i = 0; i <= 0xFFFF; i++) { | |
| const unicodeChar = String.fromCharCode(i); | |
| const urlString = `http://sorous${unicodeChar}h.me/blog/`; |
| // by @irsdl | |
| boolean manualColorHighlightEnabled = true; // e.g. BurpRed anywhere in the request | |
| boolean pwnFoxColorHighlightEnabled = true; // to support PwnFox Firefox extension containers | |
| // BEGIN HIGHLIGHT LOGIC { | |
| boolean hasAlreadyBeenColoured = false; | |
| /* Manual highlight logic to see something like BurpRed */ | |
| if(manualColorHighlightEnabled){ | |
| Pattern manualHighlightPattern = Pattern.compile("burp([a-z]{3,7}+)", Pattern.CASE_INSENSITIVE); // like burpRed or burpYellow |
| import requests | |
| import time | |
| import sys | |
| from base64 import b64encode | |
| from requests_ntlm2 import HttpNtlmAuth | |
| from urllib3.exceptions import InsecureRequestWarning | |
| from urllib import quote_plus | |
| requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) |