CVE-2026-33758 OpenBao has Reflected XSS in its OIDC authentication error message

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed...

CVE-2026-31382

The errordescription parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload...

CVE-2026-31382

The errordescription parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload...

CVE-2026-31382

The errordescription parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload...

EUVD-2026-9963

A vulnerability was found in HSC Cybersecurity Mailinspector up to 5.3.2-3. Affected by this issue is some unknown functionality of the file /mailinspector/mliUserValidation.php of the component URL Handler. The manipulation of the argument errordescription results in cross site scripting. The...

Cross-site Scripting (XSS)

Overview agents is an A home for your AI agents Affected versions of this package are vulnerable to Cross-site Scripting XSS via the errordescription query parameter, which is directly interpolated into an HTML script tag without proper escaping. An attacker can execute arbitrary JavaScript in th...

CVE-2026-1721

Summary A Reflected Cross-Site Scripting XSS vulnerability was discovered in the AI Playground's OAuth callback handler. The errordescription query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the contex...

Cloudflare Agents 安全漏洞

Cloudflare Agents is an open-source tool developed by Cloudflare for building and deploying AI agents on Cloudflare platforms. There is a security vulnerability in Cloudflare Agents, which stems from the improper escaping of the errordescription query parameter in the OAuth callback handler of th...

CVE-2025-12021

The WP-OAuth plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'errordescription' parameter in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

EUVD-2025-60951

The WP-OAuth plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'errordescription' parameter in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

CVE-2025-12021

The WP-OAuth plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'errordescription' parameter in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

CVE-2025-12021 WP-OAuth <= 0.4.1 - Reflected Cross-Site Scripting

The WP-OAuth plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'errordescription' parameter in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

PT-2025-46272

Name of the Vulnerable Software and Affected Versions WP-OAuth plugin for WordPress versions up to and including 0.4.1 Description The WP-OAuth plugin for WordPress is susceptible to Reflected Cross-Site Scripting. This is due to insufficient input sanitization and output escaping related to the...

keycloak: Keycloak error_description injection on error pages

A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the errordescription query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading...

GHSA-XMCW-MV9P-7PQ2 Duplicate Advisory: Keycloak error_description injection on error pages that can trigger phishing attacks

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-27gc-wj6x-9w55. This link is maintained to preserve external references. Original Description A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the errordescriptio...

CVE-2025-10044

A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the errordescription query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the errordescription query parameter, which is rendered directly on error pages without validation or sanitization. An attacker can display misleading messages within the trusted user interface by crafting...

CVE-2024-44794

A cross-site scripting XSS vulnerability in the component /master/auth/OnedriveRedirect.php of PicUploader commit fcf82ea allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the errordescription parameter...

CVE-2024-44796

A cross-site scripting XSS vulnerability in the component /auth/AzureRedirect.php of PicUploader commit fcf82ea allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the errordescription parameter...

CVE-2024-44794

A cross-site scripting XSS vulnerability in the component /master/auth/OnedriveRedirect.php of PicUploader commit fcf82ea allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the errordescription parameter...