455 matches found
CVE-2026-42548
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that...
CVE-2026-42548
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that...
CVE-2026-42548 Flight: Reflected XSS via unvalidated JSONP callback in Flight::jsonp()
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that...
CVE-2026-42548 Flight: Reflected XSS via unvalidated JSONP callback in Flight::jsonp()
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that...
Flight 跨站脚本漏洞
Flight is a PHP microframework developed by Mike Cao. Versions of Flight prior to 3.18.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of Flight::jsonp, which directly connected the “?jsonp=” query parameter to the application/javascript response body. No...
GHSA-FCX8-PH5R-MXR4 Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp()
Summary Flight::jsonp concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site...
Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp()
Summary Flight::jsonp concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Flight::jsonp process. An attacker can execute arbitrary JavaScript in the context of the response origin by supplying a crafted jsonp query parameter, which is concatenated directly into the JavaScript...
PT-2026-38270
Name of the Vulnerable Software and Affected Versions Flight versions prior to 3.18.1 Description The Flight::jsonp function concatenates the jsonp query parameter directly into an application/javascript response body without validating if the value is a legal JavaScript identifier. This allows a...
CVE-2026-32275
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0...
CVE-2026-32275
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0...
CVE-2026-32275 Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0...
CVE-2026-32275
CVE-2026-32275 affects Tautulli (Python-based Plex monitoring) with an unsanitized JSONP callback parameter. From version 1.3.10 up to, but not including, 2.17.0, this allows cross-origin script injection and API key theft. The issue is fixed in version 2.17.0. Affected range: 1.3.10 through 2.16...
Tautulli 跨站脚本漏洞
Tautulli is an open-source application developed by Tautulli for monitoring Plex Media Server. Versions of Tautulli from 1.3.10 to 2.17.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from uncleaned JSONP callback parameters, which could lead to cross-domain script...
EUVD-2026-12243
A vulnerability was determined in UEditor up to 1.4.3.2. This issue affects some unknown processing of the file php/controller.php?action=uploadimage of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated...
CVE-2026-4186
A vulnerability was determined in UEditor up to 1.4.3.2. This issue affects some unknown processing of the file php/controller.php?action=uploadimage of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated...
CVE-2026-4186 UEditor JSONP Callback controller.php cross site scripting
A vulnerability was determined in UEditor up to 1.4.3.2. This issue affects some unknown processing of the file php/controller.php?action=uploadimage of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated...
CVE-2026-4186
CVE-2026-4186 affects UEditor (up to version 1.4.3.2), specifically the JSONP Callback Handler’s php/controller.php?action=uploadimage path. Root cause is manipulation of the callback argument, enabling cross-site scripting. Impact is disclosed as a remote, user-interaction-requiring XSS with no ...
Cross-site Scripting (XSS)
Overview yourls/yourls is an is a set of PHP scripts that allow you to run Your Own URL Shortener. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the callback and jsonp request parameters, which are concatenated into the response without proper sanitization. An...
YOURLS is vulnerable to XSS through JSONP and Callback request parameters
Summary The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLSPRIVATE is set to false public API mode, this vulnerability can be exploited by any unauthenticated attacker. In...