CVE-2026-6696

Name of the Vulnerable Software and Affected Versions Zingaya Click-to-Call versions prior to 1.1

Description Insufficient input sanitization and output escaping in the sign-up admin page allow unauthenticated attackers to inject arbitrary web scripts. This occurs via the 'email', 'first name', 'last name', and 'phone' parameters. The scripts execute if a user is tricked into performing an action, such as clicking a link. Reflected Cross-Site Scripting is a type of attack where a malicious script is reflected off a web application to the victim's browser.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.