qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.

Source