CVE-2024-10242

The CVE-2024-10242 entry describes a reflected cross-site scripting vulnerability in the authentication endpoint of WSO2 API Manager. The flaw stems from inadequate validation of user-supplied input that is reflected in the response, enabling an attacker to inject script payloads that execute in ...

CVE-2026-20132

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting XSS attack or a reflected XSS attack against a user of the web-based...

CVE-2026-39344

ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting XSS vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly...

CVE-2026-30526

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or...

CVE-2026-34739 AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the UserLocation plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars or any other output encoding. This allows an attacker to inject arbitrary HTM...

AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page

Summary The YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the framework's input filter lists defined in security.php, so it passes through...

CVE-2026-30559

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the addsales.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML...

CVE-2026-29933

CVE-2026-29933 describes a reflected XSS in YZMCMS v7.4, specifically in the "/index/login.html" component. The issue arises when an attacker can modify the referrer header, causing arbitrary Javascript to run in the victim’s browser. Affected product/version: YZMCMS 7.4. Root cause: reflected XS...

EUVD-2026-13690

Zimbra Collaboration Suite ZCS 10.0 and 10.1 contains a reflected cross-site scripting XSS vulnerability in the Classic Webmail REST interface /h/rest. The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafte...

CVE-2026-27068

CVE-2026-27068 describes a Reflected XSS in the WordPress plugin Website LLMs.txt (versions n/a through <= 8.2.6). The issue arises from improper neutralization of input during web page generation, enabling cross-site scripting when user-supplied data is reflected. Several connected sources (N...

CVE-2025-69245

Raytha CMS is vulnerable to Reflected XSS via returnUrl parameter in logon functionality. An attacker can craft a malicious URL which, when opened by the authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. This issue was fixed in 1.4.6...

CVE-2025-69242

Raytha CMS is vulnerable to reflected XSS via the backToListUrl parameter. An attacker can craft a malicious URL which, when opened by authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. This issue was fixed in version 1.4.6...

PT-2026-24464

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.10 Description SiYuan is a personal knowledge management system susceptible to a reflected cross-site scripting XSS condition. The SVG sanitizer, SanitizeSVG, inadequately checks href attributes for the 'javascript...

CVE-2026-2830

The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possib...

CVE-2026-2678

Reflected Cross-Site Scripting XSS on the A3factura web platform, in parameter 'name', parameter 'name', in 'a3factura-app.wolterskluwer.es//incomes/customers' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser...

CVE-2026-27512

Affected product/firmware: Shenzhen Tenda F3 Wireless Router, firmware V12.01.01.55_multi. Issue: Content-type confusion in the administrative interface where responses omit the X-Content-Type-Options: nosniff header and reflect attacker-influenced content into the response body. MIME sniffing ma...

CVE-2019-25426

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the dnsmasq endpoint. Attackers can send POST requests with script payloads in the TRANSPARENTSOURCEBYPASS or...

CVE-2019-25412

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting unsanitized input through the NTPSERVERLIST parameter. Attackers can send POST requests to the /korugan/time endpoint with script payloads in the...

CVE-2019-25427 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via antispyware

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the antispyware endpoint. Attackers can send POST requests with JavaScript payloads in the DNSMASQWHITELIST or DNSMASQBLACKLIST...

CVE-2025-14452 WP Customer Reviews <= 3.7.5 - Reflected Cross-Site Scripting via 'wpcr3_fname' Parameter

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...