CVE-2026-32275

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0...

CVE-2026-4186 UEditor JSONP Callback controller.php cross site scripting

A vulnerability was determined in UEditor up to 1.4.3.2. This issue affects some unknown processing of the file php/controller.php?action=uploadimage of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated...

CVE-2025-15144

A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. The impacted element is the function drshowerror/drexitmsg of the file /dayrui/Fcms/Init.php of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated...

m.thecard.co.kr XSS vulnerability

Vulnerable URL: http://m.thecard.co.kr/mobile/event/EventReviewListProc.asp?jsoncallback=prompt/OPENBUGBOUNTY/...

ipregistry.dmrights.com XSS vulnerability

Vulnerable URL: http://ipregistry.dmrights.com/counter/index.jsp?jsoncallback=prompt/OPENBUGBOUNTY/...

help.objectiflune.com XSS vulnerability

Vulnerable URL: http://help.objectiflune.com/common/doctools/globals.php?jsoncallback=prompt/OPENBUGBOUNTY/...

oxfam.org.au XSS vulnerability

Vulnerable URL: https://www.oxfam.org.au/my/profile/gettheuser?jsoncallback=prompt/OPENBUGBOUNTY/...

guatemalanadventure.com XSS vulnerability

Vulnerable URL: https://guatemalanadventure.com/SistemaGAV1/post.php?jsoncallback=prompt/OPENBUGBOUNTY/...

slarti.myfreeforum.org XSS vulnerability

Vulnerable URL: http://slarti.myfreeforum.org/screenshots/jscreen.php?jsoncallback=prompt/OPENBUGBOUNTY/...

turl.ca XSS vulnerability

Vulnerable URL: http://turl.ca/json.php?jsoncallback=prompt/OPENBUGBOUNTY/...

Trello: DOM based XSS via Wistia embedding

Hi, You are using Wistia to embed video at trello.com. However external script from fast.wistia.com vulnerable to XSS and allows to run malicious javascript on your side. vulnerable code: fast.wistia.net/assets/external/E-v1.js I found that parameter wchannel can be controled to load js from...

Mandriva Linux Security Advisory : couchdb (MDVSA-2013:067)

Updated couchdb packages fix security vulnerabilities : A security flaw was found in the way Apache CouchDB, a distributed,fault- tolerant and schema-free document-oriented database accessible via a RESTful HTTP/JSON API, processed certain JSON callback. A remote attacker could provide a speciall...

tudou.com UTF7-BOM Cross Site Scripting

xss attacks through utf7-BOM string injection the beginning of the utf-7 BOM chascter is from Gareth Heyes's paper 《XSS Lightsabre techniques》 ---------------------start---------------------------------- CSS expressions with UTF-7 • UTF-7 BOM character can force UTF-7 in a external style sheet •...