Hi, in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/rebootRemoteFPP.php#L15 the variable ip is reflected without prior sanitization :
$ip = $_GET['ip'];
echo "Rebooting FPP system @ $ip\n";
Visit : http://127.0.0.1/rebootRemoteFPP.php?ip=%3Cscript%3Ealert(%27zer0h%27)%3C/script%3E
XSS