GHSA-HHG7-C65M-H7FF Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is...

Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is...

PT-2026-44727

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is...

CVE-2026-48227

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticketid GET parameters directly into an HTML form action URL. Attackers can...

CVE-2026-48217

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in deletemodule.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters modulechoice, flag, confirmation directly into render...

CVE-2026-48228

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patientw.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticketid GET parameters directly into an HTML form action URL. Attackers ca...

EUVD-2026-31310

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patientw.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticketid GET parameters directly into an HTML form action URL. Attackers ca...

CVE-2026-48228 Open ISES Tickets < 3.44.2 Reflected XSS via patient_w.php id and ticket_id Parameters

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patientw.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticketid GET parameters directly into an HTML form action URL. Attackers ca...

EUVD-2026-31307

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticketid GET parameters directly into an HTML form action URL. Attackers can...

PT-2026-42505

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket id GET parameters directly into an HTML form action URL. Attackers ca...

PT-2026-42506

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket id GET parameters directly into an HTML form action URL. Attackers...

CVE-2026-8626

The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

CVE-2026-8626

The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

EUVD-2026-31024

The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

CVE-2026-8627 Correct Prices <= 1.0 - Reflected Cross-Site Scripting via PHP_SELF Parameter

The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in versions up to and including 1.0. This is due to the correctpricespage function echoing $SERVER'PHPSELF' into a form's action attribute without any input sanitization or...

CVE-2026-8627 Correct Prices <= 1.0 - Reflected Cross-Site Scripting via PHP_SELF Parameter

The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in versions up to and including 1.0. This is due to the correctpricespage function echoing $SERVER'PHPSELF' into a form's action attribute without any input sanitization or...

CVE-2026-8627

The CVE-2026-8627 entry affects the WordPress plugin Correct Prices (

PT-2026-42083

Name of the Vulnerable Software and Affected Versions SponsorMe versions prior to 0.5.3 Description Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts into pages. This occurs when a user is tricked into clicking a crafted link. The...

PT-2026-42084

Name of the Vulnerable Software and Affected Versions Correct Prices versions prior to 1.1 Description The Correct Prices plugin for WordPress is subject to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation, allowing an...

CVE-2026-3601

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...