XMB is vulnerable to cross-site scripting (XSS) due to inadequate filtering of BBCode input. This bug affects all versions of XMB. All XMB installations must be updated to versions 1.9.12.03 or 1.9.11.16.
https://forums.xmbforum2.com/viewthread.php?tid=777105
https://docs.xmbforum2.com/index.php?title=Security_Issue_History