PNP4Nagios through 81ebfc5 has stored XSS in the AJAX controller via the basket API and filters. This affects 0.6.26.
pnp4nagios pnp4nagios 0.6.26