XSS vulnerability through search results page.
The search query is sent as a GET parameter and is not completely escaped when presented back to the user. This allows code to be rendered directly from a malicious URL.
<div class="showing"> No results found for '<img src=https://dyl.anjon.es/favicon.ico>'. Please try another search term. </div>