Ghi

**Name of the Vulnerable Software and Affected Versions** flatCore version 1.4.6 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary JavaScript code via the PATH INFO in an acp.php URL. This is due to the use of unsanitized $ SERVER['PHP SELF'] to generate URLs. **Recommendations** For flatCore version 1.4.6, consider sanitizing the $ SERVER['PHP SELF'] variable to prevent the injection of malicious JavaScript code. As a temporary workaround, restrict access to the acp.php URL to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Piwigo versions 2.9.0 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `page` parameter in the "admin.php" file. **Recommendations** For versions 2.9.0 and earlier, update to a version later than 2.9.0 to resolve the issue.