public-ui · deleonio · Mar 26, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026
diff --git a/docs/CVE_OVERVIEW.md b/docs/CVE_OVERVIEW.md
@@ -31,8 +31,8 @@
 | Severity |  v4 |  v3 |  v2 |  v1 |
 | -------- | --: | --: | --: | --: |
 | critical |   4 |   4 |   4 |   2 |
-| high     |  25 |  24 |  35 |  23 |
-| moderate |   7 |   7 |  19 |   1 |
+| high     |  28 |  25 |  36 |  23 |
+| moderate |   8 |   8 |  20 |   1 |
 | low      |   3 |   3 |   8 |   0 |
 | info     |   0 |   0 |   0 |   0 |
 | unknown  |   0 |   0 |   0 |   0 |
@@ -58,7 +58,9 @@
 | express-rate-limit   | high     | CVE-2026-30827      | v2                | express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting o  |
 | fast-xml-parser      | high     | CVE-2026-25128      | v4, v3, v2        | fast-xml-parser has RangeError DoS Numeric Entities Bug                           |
 | fast-xml-parser      | high     | CVE-2026-26278      | v4, v3, v2        | fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansio  |
+| fast-xml-parser      | high     | CVE-2026-33036      | v4, v3, v2        | fast-xml-parser affected by numeric entity expansion bypassing all entity expans  |
 | flatted              | high     | CVE-2026-32141      | v4, v3, v2        | flatted vulnerable to unbounded recursion DoS in parse() revive phase             |
+| flatted              | high     | CVE-2026-33228      | v4, v3, v2        | Prototype Pollution via parse() in NodeJS flatted                                 |
 | hono                 | high     | CVE-2026-29045      | v2                | Hono vulnerable to arbitrary file access via serveStatic vulnerability            |
 | immutable            | high     | CVE-2026-29063      | v2                | Immutable is vulnerable to Prototype Pollution                                    |
 | locutus              | high     | CVE-2026-29091      | v4, v3, v2, v1    | locutus call_user_func_array vulnerable to Remote Code Execution (RCE) due to Co  |
@@ -69,19 +71,21 @@
 | rollup               | high     | CVE-2026-27606      | v1                | Rollup 4 has Arbitrary File Write via Path Traversal                              |
 | semver               | high     | CVE-2022-25883      | v2                | semver vulnerable to Regular Expression Denial of Service                         |
 | serialize-javascript | high     | GHSA-5c6j-r48x-rmvq | v4, v3, v2, v1    | Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.to  |
+| socket.io-parser     | high     | CVE-2026-33151      | v4, v3, v2        | socket.io allows an unbounded number of binary attachments                        |
 | svgo                 | high     | CVE-2026-29074      | v4, v3, v2, v1    | SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)                     |
 | tar                  | high     | CVE-2026-24842      | v1                | node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Trave  |
 | tar                  | high     | CVE-2026-23745      | v1                | node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Ins  |
 | tar                  | high     | CVE-2026-26960      | v4, v1            | Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in no  |
-| tar                  | high     | CVE-2026-29786      | v4, v3, v2, v1    | tar has Hardlink Path Traversal via Drive-Relative Linkpath                       |
-| tar                  | high     | CVE-2026-31802      | v4, v3, v2, v1    | node-tar Symlink Path Traversal via Drive-Relative Linkpath                       |
+| tar                  | high     | CVE-2026-29786      | v4, v1            | tar has Hardlink Path Traversal via Drive-Relative Linkpath                       |
+| tar                  | high     | CVE-2026-31802      | v4, v1            | node-tar Symlink Path Traversal via Drive-Relative Linkpath                       |
 | tar                  | high     | CVE-2026-23950      | v1                | Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on   |
 | undici               | high     | CVE-2026-1528       | v4, v3, v2        | Undici: Malicious WebSocket 64-bit length overflows parser and crashes the clien  |
 | undici               | high     | CVE-2026-1526       | v4, v3, v2        | Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompre  |
 | undici               | high     | CVE-2026-2229       | v4, v3, v2        | Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_win  |
 | ajv                  | moderate | CVE-2025-69873      | v3, v2            | ajv has ReDoS when using `$data` option                                           |
 | ejs                  | moderate | CVE-2024-33883      | v2                | ejs lacks certain pollution protection                                            |
 | esbuild              | moderate | GHSA-67mh-4wv8-2f99 | v2                | esbuild enables any website to send any requests to the development server and r  |
+| fast-xml-parser      | moderate | CVE-2026-33349      | v4, v3, v2        | Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evalua  |
 | file-type            | moderate | CVE-2026-31808      | v4                | file-type affected by infinite loop in ASF parser on malformed input with zero-s  |
 | hono                 | moderate | CVE-2026-29086      | v2                | Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in  |
 | hono                 | moderate | CVE-2026-29085      | v2                | Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()            |

diff --git a/packages/components/src/components/details/style.scss b/packages/components/src/components/details/style.scss
@@ -3,25 +3,12 @@
 @use '../host-display-block' as *;
 @use '../@shared/collapsible.mixin' as *;
 @use '../@shared/icon.mixin' as *;
+@use '../@shared/button.mixin' as *;
 
 @layer kol-component {
+	@include kol-button-styles('kol-button');
 	@include kol-icon-styles();
 	.kol-details {
-		&__heading-button {
-			display: flex;
-
-			.kol-button {
-				min-height: auto;
-
-				.kol-span {
-					&__label {
-						border-bottom-color: grey;
-						border-bottom-style: solid;
-					}
-				}
-			}
-		}
-
 		.collapsible--open &__heading-button {
 			.kol-icon {
 				transform: rotate(90deg);

diff --git a/packages/samples/angular/public/assets/kolibri.ico b/packages/samples/angular/public/assets/kolibri.ico
diff --git a/...es/default/snapshots/theme-default/snapshot-for-details-basic-firefox-linux.png b/...es/default/snapshots/theme-default/snapshot-for-details-basic-firefox-linux.png
diff --git a/...fault/snapshot-for-scenarios-focus-elements-component-details-firefox-linux.png b/...fault/snapshot-for-scenarios-focus-elements-component-details-firefox-linux.png
diff --git a/packages/themes/default/src/components/details.scss b/packages/themes/default/src/components/details.scss
@@ -34,7 +34,7 @@
 				}
 
 				&__label {
-					border-bottom-color: #000;
+					border-bottom: 3px solid black;
 				}
 			}
 

diff --git a/packages/themes/kern/src/components/details.scss b/packages/themes/kern/src/components/details.scss
@@ -20,10 +20,6 @@
 		.kol-icon {
 			font-size: to-rem(24);
 		}
-
-		.kol-span__label {
-			border-bottom: 0;
-		}
 	}
 
 	.kol-details {
-Original file line number
+Diff line change
@@ Expand Up / @@ -34,7 +34,7 @@ @@
     				}
     				&__label {
-    					border-bottom-color: #000;
+    					border-bottom: 3px solid black;
     				}
     			}
@@ Expand Down @@