Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the fsNick cookie parameter, which is reflected into the HTML without proper sanitization. An attacker can execute arbitrary JavaScript code in the context of the user's browser by tricking a user with a val...

Cross-site Scripting (XSS)

Overview nltk is a Natural Language Toolkit NLTK is a Python package for natural language processing. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the lookup... route in the web interface, where attacker-controlled input is reflected into the HTML response...

CVE-2025-15562 Reflected Cross-Site Scripting in NesterSoft WorkTime

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker...

CVE-2019-16987

In FusionPBX up to v4.5.7, the file app\contacts\contactimport.php uses an unsanitized "querystring" variable coming from the URL, which is reflected in HTML, leading to XSS...

GHSA-R77H-RPP9-W2XM Spotipy has a XSS vulnerability in its OAuth callback server

Summary XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. Details Vulnerable Code: spotipy/oauth2.py lines 1238-1274 RequestHandler.doGET The...

CVE-2025-64711 PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on...

CVE-2025-63589

CMSimple_XH 1.8 is affected by a reflected XSS in the index.php router: attacker-controlled path segments are not sanitized/encoded before being inserted into generated HTML (navigation links, breadcrumbs, search form action, footer links), allowing arbitrary JavaScript in victims’ browsers via a...

CVE-2025-61456

The CVE-2025-61456 entry documents a reflected XSS in Bhabishya-123 E-commerce 1.0, specifically in the index endpoint. Unescaped input from the /index parameter is echoed into the HTML response, enabling arbitrary JavaScript execution in a user’s browser via a crafted link or request. Affected p...

CVE-2025-61454

CVE-2025-61454 is an XSS vulnerability in the /search endpoint of Bhabishya-123 E-commerce 1.0. Unescaped input in the search parameter is directly reflected into the HTML response, allowing an attacker to execute arbitrary JavaScript in a user’s browser when a malicious link or crafted request i...

EUVD-2019-7445

Malware in sbrugna...

EUVD-2019-7448

Malware in sbrugna...

EUVD-2019-7443

Malware in sbrugna...

EUVD-2019-7455

Malware in sbrugna...

EUVD-2018-18428

Malware in sbrugna...

CVE-2019-16983

In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function called by several pages of the interface, which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS...

LinkAce 安全漏洞

LinkAce is a self-hosted archive of links to your favorite websites by Kevin Woblick Personal Developer. A security vulnerability exists in LinkAce versions prior to 1.15.6 that stems from user input that is not properly cleaned or encoded before being reflected in an HTML response. An attacker...

CVE-2024-25637

October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interaction...

Cross site scripting

An issue was discovered in FusionPBX up to 4.5.7. In the file app\conferencecontrols\conferencecontroldetails.php, an unsanitized id variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS...

CVE-2019-16982

In FusionPBX up to v4.5.7, the file app\accesscontrols\accesscontrolnodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS...

CVE-2019-16987

Summary: CVE-2019-16987 affects FusionPBX up to version 4.5.7. The vulnerability exists in the file app/contacts/contact_import.php, where an unsanitized query_string parameter from the URL is reflected in HTML, causing a reflected XSS. The linked Red Hat/NVD entries confirm the same issue. Impac...