CVE-2026-8626 SponsorMe <= 0.5.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter

The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

GHSA-Q2PJ-8V84-9MH5 Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover

Summary The unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a element of the embedded logo.svg, allowing an attacker to close the style block an...

AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php

Summary The view/forbiddenPage.php and view/warningPage.php templates reflect the $REQUEST'unlockPassword' parameter directly into an HTML tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the value attribute and injects arbitrary HTML...

CVE-2025-43717

PEAR HTTP_Request2 is vulnerable prior to version 2.7.0. The issue arises because multiple files in the tests directory, notably tests/_network/getparameters.php and tests/_network/postparameters.php, reflect any GET or POST parameters, leading to Cross-Site Scripting (XSS). The root cause is inp...

CVE-2022-36318

When visiting directory listings for chrome:// URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR 102.1, Firefox ESR 91.12, Firefox 103, Thunderbird 102.1, and Thunderbird 91.12...

DEBIAN-CVE-2022-36318

When visiting directory listings for chrome:// URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR 102.1, Firefox ESR 91.12, Firefox 103, Thunderbird 102.1, and Thunderbird 91.12...

PT-2022-27310 · Unknown · Appalti & Contratti

Name of the Vulnerable Software and Affected Versions: Appalti & Contratti version 9.12.2 Description: The web application is vulnerable to a Reflected Cross-Site Scripting issue. The idPagina parameter is reflected inside the server response without any HTML encoding, resulting in XSS when the...

Mozilla: Directory indexes for bundled resources reflected URL parameters

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when visiting directory listings for chrome:// URLs as source text, some parameters were reflected...

UBUNTU-CVE-2022-36318

When visiting directory listings for chrome:// URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR 102.1, Firefox ESR 91.12, Firefox 103, Thunderbird 102.1, and Thunderbird 91.12...

WordPress plugin Google Tag Manager 跨站脚本漏洞

WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress plugin Google Tag Manager version 1.15 has a cross-site scripting vulnerability that stems from the fact that site searches are n...

Darwin Factor 跨站脚本漏洞

Darwin Factor is a free and open source next-generation TypeScript framework from Darwin, Inc. Darwin Factor has a cross-site scripting vulnerability that stems from vulnerability to search parameter reflection cross-site scripting XSS attacks in URLs, which can be exploited by unauthenticated...

[SECURITY] [DLA 68-1] fex security update

Package : fex Version : 20100208+debian1-1+squeeze4 CVE ID : CVE-2014-3875 CVE-2014-3876 CVE-2014-3877 CVE-2014-3875 When inserting encoded newline characters into a request to rup, additional HTTP headers can be injected into the reply, as well as new HTML code on the top of the website...