What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Russell Jamieson CaptionPix captionpix allows Reflected XSS.This issue affects CaptionPix: from n/a through <= 1.8.
Explanation of Vulnerability in Simple Terms
02Summary
CaptionPix versions 1.8 and earlier contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages. An attacker can craft a malicious link or page that, when visited by a site user, executes arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, or defacement. The vulnerability affects all versions from 0 through 1.8.
What an attacker can do
03Attacker Capabilities
Inject and execute malicious JavaScript in a user's browser to steal session data, credentials, or deface content.
Potential impact on your site
04Site Impact
Site visitors can be compromised without their knowledge; attackers may steal admin sessions or user data through malicious scripts.
Conditions required to exploit
05Prerequisites
A site user must visit an attacker-controlled link or page that triggers the vulnerability. No authentication required.
Key dates
06Disclosure timeline
August 14, 2025
CVE published
May 12, 2026
Record updated