The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLS_PRIVATE is set to false (public API mode), this vulnerability can be exploited by any unauthenticated attacker. In private mode, the XSS payload is still injected into the 403 response body though browser execution is blocked.
Cross-Site Request Forgery (CSRF) in GitHub repository yourls/yourls prior to 1.8.3.
yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames
Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel - An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.
YOURLS is affected by a type juggling vulnerability in the api component that can result in login bypass.