R74n Sandboxels 1.9 through 1.9.5 allows XSS via a message in a modified saved-game file. This was fixed in a hotfix to 1.9.5 on 2024-06-29.
[
{
"cpes": [
"cpe:2.3:a:r74n:sandboxels:1.9:*:*:*:*:*:*:*"
],
"vendor": "r74n",
"product": "sandboxels",
"versions": [
{
"status": "affected",
"version": "1.9",
"lessThan": "1.9.5",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]