CVE-2026-27964

FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting XSS vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. The fsNick cookie ...

CVE-2026-6495 Ajax Load More < 7.8.4 - Reflected XSS

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

MantisBT 1.0.0 < 2.28.2 Dynamic Custom Textarea Field Reflected XSS (GHSA-j7v9-f46r-2rp4)

The version of MantisBT installed on the remote host is 1.0.0 or later but prior to 2.28.2. It is, therefore, affected by a vulnerability: - MantisBT is Vulnerable to Reflected XSS in Rendering Dynamic Custom Textarea Field. CVE-2026-41897 Note that Nessus has not tested for this issue but has...

EUVD-2018-21854

Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Attackers can inject script tags through the currentpage parameter sent to the ajax.php endpoint, which...

CVE-2026-44376

CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product...

CVE-2026-42458

Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, there is a reflected XSS vulnerability under admin panel - System - Import/Export -...

CVE-2026-42458

CVE-2026-42458 (Magento LTS/OpenMage Magento-LTS) : A reflected XSS in the admin-import/export Dataflow - Profiles feature allows injection via the filename parameter in the Dataflow Import path. Affected: OpenMage/magento-lts (unofficial Magento LTS) prior to version 20.18.0. Evidence across sou...

CVE-2026-42458 Magento LTS: Reflected XSS - Import -> Data Flow (profiles)

Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, there is a reflected XSS vulnerability under admin panel - System - Import/Export -...

dvwa_xss_lab

DVWA XSS Lab Project Introduction This project creates a...

podinfo: cross-site scripting vulnerability in the /echo and /api/echo endpoints

podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin...

GHSA-Q23M-VM9R-5745 podinfo: cross-site scripting vulnerability in the /echo and /api/echo endpoints

podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin...

CVE-2026-1630

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions...

CVE-2026-1630

CVE-2026-1630 details : WEBCON BPS is vulnerable to a Reflected XSS via parameters used by the "/openinmobileapp" endpoint. An attacker can craft a URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim’s browser. The issue is fixed in versions 202...

CVE-2026-1630

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions...

CVE-2026-1630 Reflected XSS in WEBCON BPS

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions...

EUVD-2026-30279

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions...

CVE-2026-43644 podinfo 6.11.2 Reflected XSS via /echo Endpoint

podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin...

CVE-2026-43644

CVE-2026-43644 affects podinfo up to version 6.11.2. The vulnerability is a reflected XSS in the /echo and /api/echo endpoints, caused by the echoHandler writing the request body to the response without setting explicit Content-Type or X-Content-Type-Options headers. Go’s content-type detection m...

CVE-2025-15345

The MapGeo – Interactive Geo Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'map' parameter in the display-map shortcode in all versions up to, and including, 1.6.27 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-15345

The MapGeo – Interactive Geo Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'map' parameter in the display-map shortcode in all versions up to, and including, 1.6.27 due to insufficient input sanitization and output escaping. This makes it possible for...