Tracked as CVE-2022-26136, the first of the flaws could allow a remote, unauthenticated attacker to send specially crafted HTTP requests and authenticate to third-party apps, or to launch an XSS attack, to execute JavaScript code in a user’s browser.