XSS in Flightphp Core

CVE-2026-42548

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identi…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (5.7th percentile) — read the EPSS interpretation.