CVE-2026-48225 Open ISES Tickets < 3.44.2 Reflected XSS via landb.php _type Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the type POST parameter directly into an HTML form hidden input value attribute. Attacker...

CVE-2026-33499

Summary: CVE-2026-33499 affects WWBN AVideo up to version 26.0, where the templates view/forbiddenPage.php and view/warningPage.php reflect the $_REQUEST['unlockPassword'] value directly into an HTML input tag without encoding, enabling a reflected XSS vulnerability if a user clicks a crafted lin...

AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php

Summary The view/forbiddenPage.php and view/warningPage.php templates reflect the $REQUEST'unlockPassword' parameter directly into an HTML tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the value attribute and injects arbitrary HTML...

CVE-2026-30841

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $GET"token" and $GET"email" directly into HTML input value attributes using and without calling htmlspecialchars. This allows reflected XSS by breaking out of the attribute...

SUSE CVE-2013-6621

Use-after-free vulnerability in Google Chrome before 31.0.1650.48 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the x-webkit-speech attribute in a text INPUT element...

UBUNTU-CVE-2022-27777

A XSS Vulnerability in Action View tag helpers = 5.2.0 and 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes...