CVE-2018-17049by Jeremyin Security Bulletinson Posted on September 14, 2018 CQU-LANKERS through 2017-11-02 has XSS via the public/api.php callback parameter in an uploadpic action.