Moderatejburel

**Name of the Vulnerable Software and Affected Versions** OMERO.web versions prior to 5.26.0 **Description** The issue is related to the lack of escaping or validation of the `callback` parameter in OMERO.web endpoints with JSONP enabled. This affects various endpoints, including `/webclient/imgData/...`. Although it is difficult to exploit in vanilla OMERO.web, the vulnerability could be exploited in plugins that use these metadata endpoints. **Recommendations** For versions prior to 5.26.0, upgrade to version 5.26.0 or higher to resolve the issue. As a temporary workaround, consider restricting access to endpoints with JSONP enabled until the upgrade is applied. Avoid using the `callback` parameter in affected API endpoints until the issue is resolved.