CVE-2026-42548
Flight: Reflected XSS via unvalidated JSONP callback in Flight::jsonp()
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting. This vulnerability is fixed in 3.18.1.
| CWE | CWE-79 |
| Vendor | flightphp |
| Product | core |
| Published | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for flightphp core
Be the first to know when new unknown vulnerabilities affecting flightphp core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
flightphp / core
< 3.18.1