CVE-2026-30841

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $GET"token" and $GET"email" directly into HTML input value attributes using and without calling htmlspecialchars. This allows reflected XSS by breaking out of the attribute...

EUVD-2024-43504

Malicious code in bioql PyPI...

CVE-2025-21572

CVE-2025-21572 affects OpenGrok 1.13.25. The vulnerability is a reflected Cross-Site Scripting (XSS) in the history view page caused by improper handling of path segments, resulting in unsanitized user input being reflected in HTML output. Reported impact per CVSS: MEDIUM (6.1), with network atta...

CVE-2025-22617 WeGIA Cross-Site Scripting (XSS) Reflected endpoint 'editar_socio.php' parameter 'socio'

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting XSS vulnerability was identified in the editarsocio.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in t...

Cross site scripting

The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue...