CVE-2026-8622

Name of the Vulnerable Software and Affected Versions Image Sizes on Demand versions prior to 1.4

Description Insufficient input sanitization and output escaping in the PHP SELF server variable allow unauthenticated attackers to inject arbitrary web scripts. These scripts execute if a user is tricked into clicking a malicious link. The execution occurs only within the context of an administrator, as the settings page requires the manage options capability to render. Reflected Cross-Site Scripting is a flaw where a malicious script is reflected off a web application to the victim's browser.

Recommendations Update to a version later than 1.3.