CVE-2026-53741
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Simple Link Directory version 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload can break out of the string and run script for every page visitor.
Risk Assessment
This vulnerability may lead to the execution of malicious scripts on visitor pages, posing a risk of data theft or session hijacking.
Recommendation
It is recommended to update to the latest version of Simple Link Directory and implement proper input encoding mechanisms to prevent script injection.
Original NVD description (English source)
Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload breaks out of the string and runs script for every page visitor.

