CVE-2026-42548

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that...

CVE-2026-42548 Flight: Reflected XSS via unvalidated JSONP callback in Flight::jsonp()

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that...

PT-2026-38270

Name of the Vulnerable Software and Affected Versions Flight versions prior to 3.18.1 Description The Flight::jsonp function concatenates the jsonp query parameter directly into an application/javascript response body without validating if the value is a legal JavaScript identifier. This allows a...

YOURLS is vulnerable to XSS through JSONP and Callback request parameters

Summary The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLSPRIVATE is set to false public API mode, this vulnerability can be exploited by any unauthenticated attacker. In...

EUVD-2018-0587

Malware in sbrugna...

EUVD-2022-4627

Malicious code in bioql PyPI...

EUVD-2024-1815

Malicious code in bioql PyPI...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service (CVE-2025-36097)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service with the jsonp-1.0, jsonp-1.1, or jsonp-2.0 features enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes secti...

Rosetta Flash JSONP Vulnerability

WebApiContrib.Formatting.Jsonp is affected by the Rosetta flash JSONP vulnerability. The WriteToStreamAsync function in JsonpMediaTypeFormatter.cs allows printable characters from the callback parameter but is not able determine if the parameter contains a Flash file. An attacker will be able to...

UBUNTU-CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

AirDroid ID Client Side JSONP Callback

Document Title: =============== AirDroid ID - Client Side JSONP Callback Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1544 Release Date: ============= 2015-07-10 Vulnerability Laboratory ID VL-ID: ==================================== 154...

CVE-2014-9153

Cross-site scripting XSS vulnerability in the Services module 7.x-3.x before 7.x-3.10 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the callback parameter in a JSONP response...