CVE-2026-33758

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed...

CVE-2025-12021 WP-OAuth <= 0.4.1 - Reflected Cross-Site Scripting

The WP-OAuth plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'errordescription' parameter in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

keycloak: Keycloak error_description injection on error pages

A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the errordescription query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading...

CVE-2025-10044

A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the errordescription query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading...

CVE-2024-44794

A cross-site scripting XSS vulnerability in the component /master/auth/OnedriveRedirect.php of PicUploader commit fcf82ea allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the errordescription parameter...

PicUploader 安全漏洞

PicUploader is a graphic bed tool written in php by Bruce's personal developer. It helps you to quickly upload your images to a cloud image bed and automatically return a Markdown formatted link to the clipboard. PicUploader has a security vulnerability that stems from a cross-site scripting...

CVE-2024-1775

The Nextend Social Login and Register plugin for WordPress is vulnerable to a self-based Reflected Cross-Site Scripting via the ‘errordescription’ parameter in all versions up to, and including, 3.1.12 due to insufficient input sanitization and output escaping. This makes it possible for...

ovirt-engine 跨站脚本漏洞

ovirt-engine is an open source virtualization management engine. A security vulnerability exists in ovirt-engine, which stems from the parameter "errordescription" that fails to clear certain entries, resulting in the injection of reflective cross-site scripting on the home page of a Windows...

Cosenary Instagram-PHP-API contains reflected XSS vulnerability

cosenary Instagram-PHP-API aka Instagram PHP API V2, used in the UserPro plugin through 4.9.32 for WordPress, is vulnerable to cross-site scripting via the example/success.php errordescription parameter. Vulnerable code: php if isset$GET'error' echo 'An error occurred: ' . $GET'errordescription';...

GHSA-GCV6-2V9C-RJ48 Cosenary Instagram-PHP-API contains reflected XSS vulnerability

cosenary Instagram-PHP-API aka Instagram PHP API V2, used in the UserPro plugin through 4.9.32 for WordPress, is vulnerable to cross-site scripting via the example/success.php errordescription parameter. Vulnerable code: php if isset$GET'error' echo 'An error occurred: ' . $GET'errordescription';...

CVE-2019-14470

cosenary Instagram-PHP-API aka Instagram PHP API V2, as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php errordescription parameter...

CVE-2016-5663

Multiple cross-site scripting XSS vulnerabilities in oauthcallback.php on Accellion Kiteworks appliances before kw2016.03.00 allow remote attackers to inject arbitrary web script or HTML via the 1 code, 2 error, or 3 errordescription parameter...

CVE-2015-1966

CVE-2015-1966 is a cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Identity Manager (TFIM) and related IBM Security Access Manager for Mobile. It affects TFIM versions 6.2.0 before FP17, 6.2.1 before FP9, and 6.2.2 before FP15, allowing a remote attacker to inject arbitrary scrip...