CVE-2026-33035 Unauthenticated Reflected XSS via innerHTML in AVideo

WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's jsonencode into a JavaScript function...

CVE-2025-48051

powertip.ts in Lila for Lichess before ab0beaf allows XSS in some applications because of an innerHTML usage pattern in which text is extracted from a DOM node and interpreted as HTML...