CWE-116
Allowed-with-ReviewImproper Encoding or Escaping of Output
Abstraction: Class · Status: Draft
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
612 vulnerabilities reference this CWE, most recent first.
GHSA-4J38-F5CW-54H7
Vulnerability from github – Published: 2026-05-21 21:21 – Updated: 2026-05-21 21:21Description
The spaceless filter is registered with is_safe => ['html'], which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying spaceless to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote |raw and autoescape is enabled.
Example:
{% set payload = '<script>alert()</script>' %}
{{ payload }} {# escaped #}
{{ payload|spaceless }} {# not escaped #}
The filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same is_safe flag.
Resolution
The spaceless filter no longer marks its output as safe. Documentation has been updated to warn that spaceless should not be applied to unsanitised user input.
Credits
Twig would like to thank Pierre Rudloff for reporting the issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "twig/twig"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46628"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T21:21:35Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\nThe `spaceless` filter is registered with `is_safe =\u003e [\u0027html\u0027]`, which means Twig\u0027s autoescaper does not escape its output in an HTML context. As a result, applying `spaceless` to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote `|raw` and autoescape is enabled.\n\nExample:\n\n```twig\n{% set payload = \u0027\u003cscript\u003ealert()\u003c/script\u003e\u0027 %}\n{{ payload }} {# escaped #}\n{{ payload|spaceless }} {# not escaped #}\n```\n\nThe filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same `is_safe` flag.\n\n### Resolution\n\nThe `spaceless` filter no longer marks its output as safe. Documentation has been updated to warn that `spaceless` should not be applied to unsanitised user input.\n\n### Credits\n\nTwig would like to thank Pierre Rudloff for reporting the issue.",
"id": "GHSA-4j38-f5cw-54h7",
"modified": "2026-05-21T21:21:35Z",
"published": "2026-05-21T21:21:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-4j38-f5cw-54h7"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2026-46628.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/twigphp/Twig"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-46628"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Twig: The `spaceless` filter implicitly marks its output as safe"
}
GHSA-4MQ2-GC4J-CMW6
Vulnerability from github – Published: 2024-01-11 16:41 – Updated: 2024-01-11 19:00Impact
Vulnerability Type: Cross-Site Scripting (XSS)
Affected Users: All users of the Django template engine for Fiber prior to the patch. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the execution of malicious scripts in users' browsers when visiting affected web pages.
Patches
The vulnerability has been addressed. The template engine now defaults to having autoescape set to true, effectively mitigating the risk of XSS attacks. Users are advised to upgrade to the latest version of the Django template engine for Fiber, where this security update is implemented. Ensure that the version of the template engine being used is the latest, post-patch version.
Workarounds
For users unable to upgrade immediately to the patched version, a workaround involves manually implementing autoescaping within individual Django templates. This method includes adding specific tags in the template to control autoescape behavior:
{% autoescape on %}
{{ "<script>alert('xss');</script>" }}
{% endautoescape %}
References
- Official documentation of the Django template engine for Fiber: https://docs.gofiber.io/template/django/
- Django built-in template tags: https://docs.djangoproject.com/en/5.0/ref/templates/builtins/
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gofiber/template/django/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-22199"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-20",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-11T16:41:42Z",
"nvd_published_at": "2024-01-11T18:15:45Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\n**Vulnerability Type:** Cross-Site Scripting (XSS) \n**Affected Users:** All users of the Django template engine for Fiber prior to the patch. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the execution of malicious scripts in users\u0027 browsers when visiting affected web pages.\n\n### Patches\n\nThe vulnerability has been addressed. The template engine now defaults to having autoescape set to `true`, effectively mitigating the risk of XSS attacks. Users are advised to upgrade to the latest version of the Django template engine for Fiber, where this security update is implemented. Ensure that the version of the template engine being used is the latest, post-patch version.\n\n### Workarounds\n\nFor users unable to upgrade immediately to the patched version, a workaround involves manually implementing autoescaping within individual Django templates. This method includes adding specific tags in the template to control autoescape behavior:\n```django\n{% autoescape on %}\n{{ \"\u003cscript\u003ealert(\u0027xss\u0027);\u003c/script\u003e\" }}\n{% endautoescape %}\n```\n\n### References\n\n- Official documentation of the Django template engine for Fiber: https://docs.gofiber.io/template/django/\n- Django built-in template tags: https://docs.djangoproject.com/en/5.0/ref/templates/builtins/\n",
"id": "GHSA-4mq2-gc4j-cmw6",
"modified": "2024-01-11T19:00:53Z",
"published": "2024-01-11T16:41:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gofiber/template/security/advisories/GHSA-4mq2-gc4j-cmw6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22199"
},
{
"type": "WEB",
"url": "https://github.com/gofiber/template/commit/28cff3ac4d4c117ab25b5396954676d624b6cb46"
},
{
"type": "PACKAGE",
"url": "https://github.com/gofiber/template"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Django Template Engine Vulnerable to XSS"
}
GHSA-4PX2-PW77-VC85
Vulnerability from github – Published: 2026-06-12 15:08 – Updated: 2026-07-15 21:23swift-nio-http2's HTTP/2-to-HTTP/1.1 codec (HTTP2FramePayloadToHTTP1ServerCodec / HTTP2ToHTTP1ServerCodec) did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. A remote attacker could send an HTTP/2 request containing CR (\r), LF (\n), or NUL (\0) bytes in pseudo-header values such as :path, and when the server translated this to HTTP/1.1 — for example in a reverse-proxy configuration — the resulting output could contain injected headers or entirely smuggled requests.
This is an HTTP/2-to-HTTP/1.1 request smuggling vulnerability. HTTP/2's binary framing means that CRLF bytes are never parsed as line terminators at the HTTP/2 layer, so they pass through transparently to the HTTP/1.1 output. Any swift-nio-http2 server that translates HTTP/2 requests to HTTP/1.1 and forwards them to a backend is affected. Server-side Swift frameworks such as Vapor that use this codec in a reverse-proxy pattern are directly affected.
This vulnerability is related to https://github.com/advisories/GHSA-7fj7-39wj-c64f in swift-nio, which addressed CRLF injection in HTTP/1.1 header values but did not cover pseudo-header values in the HTTP/2 layer.
This vulnerability is also related to https://github.com/advisories/GHSA-cq87-8r7h-962v in swift-nio, which addressed CRLF injection in HTTP/1.1 version, method and path.
swift-nio-http2 1.44.0 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error.
SwiftNIO recommends all adopters upgrade to 1.44.0 as soon as possible.
SwiftNIO thanks @kuranikaran for filing this issue and the support in fixing it.
{
"affected": [
{
"package": {
"ecosystem": "SwiftURL",
"name": "github.com/apple/swift-nio-http2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.44.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28898"
],
"database_specific": {
"cwe_ids": [
"CWE-444",
"CWE-116"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T15:08:16Z",
"nvd_published_at": "2026-06-25T19:16:36Z",
"severity": "MODERATE"
},
"details": "swift-nio-http2\u0027s HTTP/2-to-HTTP/1.1 codec (`HTTP2FramePayloadToHTTP1ServerCodec` / `HTTP2ToHTTP1ServerCodec`) did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. A remote attacker could send an HTTP/2 request containing CR (\\r), LF (\\n), or NUL (\\0) bytes in pseudo-header values such as `:path`, and when the server translated this to HTTP/1.1 \u2014 for example in a reverse-proxy configuration \u2014 the resulting output could contain injected headers or entirely smuggled requests.\n\nThis is an HTTP/2-to-HTTP/1.1 request smuggling vulnerability. HTTP/2\u0027s binary framing means that CRLF bytes are never parsed as line terminators at the HTTP/2 layer, so they pass through transparently to the HTTP/1.1 output. Any swift-nio-http2 server that translates HTTP/2 requests to HTTP/1.1 and forwards them to a backend is affected. Server-side Swift frameworks such as Vapor that use this codec in a reverse-proxy pattern are directly affected.\n\nThis vulnerability is related to https://github.com/advisories/GHSA-7fj7-39wj-c64f in swift-nio, which addressed CRLF injection in HTTP/1.1 header values but did not cover pseudo-header values in the HTTP/2 layer.\n\nThis vulnerability is also related to https://github.com/advisories/GHSA-cq87-8r7h-962v in swift-nio, which addressed CRLF injection in HTTP/1.1 version, method and path.\n\nswift-nio-http2 1.44.0 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error.\n\nSwiftNIO recommends all adopters upgrade to 1.44.0 as soon as possible.\n\nSwiftNIO thanks @kuranikaran for filing this issue and the support in fixing it.",
"id": "GHSA-4px2-pw77-vc85",
"modified": "2026-07-15T21:23:10Z",
"published": "2026-06-12T15:08:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-4px2-pw77-vc85"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28898"
},
{
"type": "WEB",
"url": "https://github.com/apple/swift-nio-http2/commit/61d1b44f6e4e118792be1cff88ee2bc0267c6f9a"
},
{
"type": "PACKAGE",
"url": "https://github.com/apple/swift-nio-http2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec"
}
GHSA-4QGR-4H56-8895
Vulnerability from github – Published: 2026-02-25 22:01 – Updated: 2026-02-27 21:50Summary
Vikunja is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While <script> and <iframe> are blocked, <svg>, <a>, and formatting tags (<h1>, <b>, <u>) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin.
Attack flow: Attacker shares a crafted project filter link (routine Vikunja workflow) → victim opens it → victim clicks "Filter" (standard UI action) → phishing content renders inside trusted Vikunja interface.
Affected Component
| Field | Detail |
|---|---|
| Application | Vikunja v1.1.0 |
| Module | Projects |
| Endpoint | /projects/-1/-1?filter=PAYLOAD&page=1 |
| Parameter | filter (GET) |
| Trigger | Click "Filter" button |
| Stack | Go backend, Vue.js + TypeScript frontend |
| Blocked | <script>, <iframe> |
| Allowed | <svg>, <a>, <rect>, <text>, <h1>, <b>, <u> |
Proof-of-Concept
PoC-1: SVG Phishing Button (Highest Impact)
Renders a styled, clickable red button redirecting to attacker domain. Visually indistinguishable from a real UI button.
http://localhost:3456/projects/-1/-1?filter=%3Csvg%20width%3D%22400%22%20height%3D%2260%22%3E%3Ca%20href%3D%22https%3A%2F%2Fattacker.example.com%2Flogin%22%3E%3Crect%20width%3D%22400%22%20height%3D%2260%22%20rx%3D%224%22%20fill%3D%22%23d32f2f%22%3E%3C%2Frect%3E%3Ctext%20x%3D%22200%22%20y%3D%2237%22%20text-anchor%3D%22middle%22%20fill%3D%22white%22%20font-size%3D%2216%22%3ESession%20Expired%20-%20Click%20to%20Re-authenticate%3C%2Ftext%3E%3C%2Fa%3E%3C%2Fsvg%3E&page=1
Raw payload:
<svg width="400" height="60"><a href="https://attacker.example.com/login"><rect width="400" height="60" rx="4" fill="#d32f2f"></rect><text x="200" y="37" text-anchor="middle" fill="white" font-size="16">Session Expired - Click to Re-authenticate</text></a></svg>
PoC-2: Phishing Link via Heading + Anchor
Prominent clickable link styled as urgent system message.
http://localhost:3456/projects/-1/-1?filter=%3Ch1%3E%3Ca%20href%3D%22https%3A%2F%2Fattacker.example.com%2Flogin%22%3E%E2%9A%A0%20Your%20session%20has%20expired.%20Click%20here%20to%20sign%20in%20again.%3C%2Fa%3E%3C%2Fh1%3E&page=1
Raw payload:
<h1><a href="https://attacker.example.com/login">⚠ Your session has expired. Click here to sign in again.</a></h1>
PoC-3: Content Spoofing — Fake Security Alert
Fake security warning directing victim to attacker-controlled contact.
http://localhost:3456/projects/-1/-1?filter=%3Ch1%3E%3Cu%3E%3Cb%3E%E2%9A%A0%20SECURITY%20ALERT%3C%2Fb%3E%3C%2Fu%3E%3C%2Fh1%3E%3Cb%3EUnauthorized%20access%20detected%20on%20your%20account.%20Your%20account%20will%20be%20suspended%20in%2024%20hours.%20Contact%20IT%20security%20immediately%20at%20security%40attacker.example.com%20or%20visit%20https%3A%2F%2Fattacker.example.com%2Fverify%20to%20confirm%20your%20identity.%3C%2Fb%3E&page=1
Raw payload:
<h1><u><b>⚠ SECURITY ALERT</b></u></h1><b>Unauthorized access detected on your account. Your account will be suspended in 24 hours. Contact IT security immediately at security@attacker.example.com or visit https://attacker.example.com/verify to confirm your identity.</b>
Root Cause
The filter parameter is inserted into the DOM as raw HTML — likely via Vue.js v-html or innerHTML. A partial denylist strips <script> and <iframe> but does not encode output or filter SVG/anchor/formatting elements. No allowlist, no output encoding, no input syntax validation exists.
Impact
| Impact | Description |
|---|---|
| SVG Phishing Buttons | Pixel-perfect fake buttons redirect to credential harvesting pages |
| External Redirect | Anchor tags point to attacker domains from within trusted origin |
| Content Spoofing | Fake alerts manipulate users into contacting attacker channels |
| Self-Hosted Risk | Compromised credentials may grant access to internal infrastructure |
| API Access | Same credentials grant full REST API access for data exfiltration |
| No Logging | GET-based reflected injection leaves no distinguishable server logs |
Not Self-XSS: Payload is attacker-controlled via URL, delivered through routine link sharing, triggered by standard UI interaction. Victim performs no security-relevant decision.
CWE & CVSS
CWE-79 (Primary) — Improper Neutralization of Input During Web Page Generation
CWE-80 (Secondary) — Improper Neutralization of Script-Related HTML Tags
CVSS 3.1: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N — 6.1 (Medium)
Score understates risk because: user interactions are routine workflow (not security decisions), SVG enables pixel-perfect UI spoofing, self-hosted deployments expose internal infrastructure, and API credential equivalence enables automated data exfiltration.
Remediation
| Priority | Action |
|---|---|
| P0 | Replace v-html with v-text or {{ }} interpolation (auto-escapes HTML) |
| P0 | HTML entity encode the filter value at rendering point |
| P1 | Replace denylist with DOMPurify strict allowlist or eliminate HTML rendering of filter values |
| P1 | Deploy CSP with form-action 'self' |
| P2 | Server-side input validation — reject filter values not matching expected syntax |
References
- Vikunja Repository: https://github.com/go-vikunja/vikunja
- CWE-79: https://cwe.mitre.org/data/definitions/79.html
- CWE-80: https://cwe.mitre.org/data/definitions/80.html
- OWASP XSS Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Scripting_Prevention_Cheat_Sheet.html
Conclusion
The filter parameter in Vikunja's Projects module renders unsanitized HTML into the DOM, enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. The attack requires only routine workflow actions — opening a shared link and clicking "Filter." The fix is a single-line change: replacing v-html with v-text in the Vue.js rendering logic. Given Vikunja's adoption (3,300+ stars), self-hosted deployment model, and API credential equivalence, this warrants prompt remediation.
A fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.0.0.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "code.vikunja.io/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.24.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27116"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T22:01:25Z",
"nvd_published_at": "2026-02-25T22:16:24Z",
"severity": "MODERATE"
},
"details": "## Summary\n\n[Vikunja](https://github.com/go-vikunja/vikunja) is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks \"Filter.\" While `\u003cscript\u003e` and `\u003ciframe\u003e` are blocked, `\u003csvg\u003e`, `\u003ca\u003e`, and formatting tags (`\u003ch1\u003e`, `\u003cb\u003e`, `\u003cu\u003e`) render without restriction \u2014 enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin.\n\n**Attack flow:** Attacker shares a crafted project filter link (routine Vikunja workflow) \u2192 victim opens it \u2192 victim clicks \"Filter\" (standard UI action) \u2192 phishing content renders inside trusted Vikunja interface.\n\n## Affected Component\n\n| Field | Detail |\n|---|---|\n| Application | Vikunja v1.1.0 |\n| Module | Projects |\n| Endpoint | `/projects/-1/-1?filter=PAYLOAD\u0026page=1` |\n| Parameter | `filter` (GET) |\n| Trigger | Click \"Filter\" button |\n| Stack | Go backend, Vue.js + TypeScript frontend |\n| Blocked | `\u003cscript\u003e`, `\u003ciframe\u003e` |\n| Allowed | `\u003csvg\u003e`, `\u003ca\u003e`, `\u003crect\u003e`, `\u003ctext\u003e`, `\u003ch1\u003e`, `\u003cb\u003e`, `\u003cu\u003e` |\n\n## Proof-of-Concept\n\n### PoC-1: SVG Phishing Button (Highest Impact)\n\nRenders a styled, clickable red button redirecting to attacker domain. Visually indistinguishable from a real UI button.\n\n```\nhttp://localhost:3456/projects/-1/-1?filter=%3Csvg%20width%3D%22400%22%20height%3D%2260%22%3E%3Ca%20href%3D%22https%3A%2F%2Fattacker.example.com%2Flogin%22%3E%3Crect%20width%3D%22400%22%20height%3D%2260%22%20rx%3D%224%22%20fill%3D%22%23d32f2f%22%3E%3C%2Frect%3E%3Ctext%20x%3D%22200%22%20y%3D%2237%22%20text-anchor%3D%22middle%22%20fill%3D%22white%22%20font-size%3D%2216%22%3ESession%20Expired%20-%20Click%20to%20Re-authenticate%3C%2Ftext%3E%3C%2Fa%3E%3C%2Fsvg%3E\u0026page=1\n```\n\nRaw payload:\n```html\n\u003csvg width=\"400\" height=\"60\"\u003e\u003ca href=\"https://attacker.example.com/login\"\u003e\u003crect width=\"400\" height=\"60\" rx=\"4\" fill=\"#d32f2f\"\u003e\u003c/rect\u003e\u003ctext x=\"200\" y=\"37\" text-anchor=\"middle\" fill=\"white\" font-size=\"16\"\u003eSession Expired - Click to Re-authenticate\u003c/text\u003e\u003c/a\u003e\u003c/svg\u003e\n```\n\n### PoC-2: Phishing Link via Heading + Anchor\n\nProminent clickable link styled as urgent system message.\n\n```\nhttp://localhost:3456/projects/-1/-1?filter=%3Ch1%3E%3Ca%20href%3D%22https%3A%2F%2Fattacker.example.com%2Flogin%22%3E%E2%9A%A0%20Your%20session%20has%20expired.%20Click%20here%20to%20sign%20in%20again.%3C%2Fa%3E%3C%2Fh1%3E\u0026page=1\n```\n\nRaw payload:\n```html\n\u003ch1\u003e\u003ca href=\"https://attacker.example.com/login\"\u003e\u26a0 Your session has expired. Click here to sign in again.\u003c/a\u003e\u003c/h1\u003e\n```\n\n### PoC-3: Content Spoofing \u2014 Fake Security Alert\n\nFake security warning directing victim to attacker-controlled contact.\n\n```\nhttp://localhost:3456/projects/-1/-1?filter=%3Ch1%3E%3Cu%3E%3Cb%3E%E2%9A%A0%20SECURITY%20ALERT%3C%2Fb%3E%3C%2Fu%3E%3C%2Fh1%3E%3Cb%3EUnauthorized%20access%20detected%20on%20your%20account.%20Your%20account%20will%20be%20suspended%20in%2024%20hours.%20Contact%20IT%20security%20immediately%20at%20security%40attacker.example.com%20or%20visit%20https%3A%2F%2Fattacker.example.com%2Fverify%20to%20confirm%20your%20identity.%3C%2Fb%3E\u0026page=1\n```\n\nRaw payload:\n```html\n\u003ch1\u003e\u003cu\u003e\u003cb\u003e\u26a0 SECURITY ALERT\u003c/b\u003e\u003c/u\u003e\u003c/h1\u003e\u003cb\u003eUnauthorized access detected on your account. Your account will be suspended in 24 hours. Contact IT security immediately at security@attacker.example.com or visit https://attacker.example.com/verify to confirm your identity.\u003c/b\u003e\n```\n\n## Root Cause\n\nThe `filter` parameter is inserted into the DOM as raw HTML \u2014 likely via Vue.js `v-html` or `innerHTML`. A partial denylist strips `\u003cscript\u003e` and `\u003ciframe\u003e` but does not encode output or filter SVG/anchor/formatting elements. No allowlist, no output encoding, no input syntax validation exists.\n\n## Impact\n\n| Impact | Description |\n|---|---|\n| SVG Phishing Buttons | Pixel-perfect fake buttons redirect to credential harvesting pages |\n| External Redirect | Anchor tags point to attacker domains from within trusted origin |\n| Content Spoofing | Fake alerts manipulate users into contacting attacker channels |\n| Self-Hosted Risk | Compromised credentials may grant access to internal infrastructure |\n| API Access | Same credentials grant full REST API access for data exfiltration |\n| No Logging | GET-based reflected injection leaves no distinguishable server logs |\n\n**Not Self-XSS:** Payload is attacker-controlled via URL, delivered through routine link sharing, triggered by standard UI interaction. Victim performs no security-relevant decision.\n\n## CWE \u0026 CVSS\n\n**CWE-79** (Primary) \u2014 Improper Neutralization of Input During Web Page Generation\n\n**CWE-80** (Secondary) \u2014 Improper Neutralization of Script-Related HTML Tags\n\n**CVSS 3.1:** `AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` \u2014 **6.1 (Medium)**\n\nScore understates risk because: user interactions are routine workflow (not security decisions), SVG enables pixel-perfect UI spoofing, self-hosted deployments expose internal infrastructure, and API credential equivalence enables automated data exfiltration.\n\n## Remediation\n\n| Priority | Action |\n|---|---|\n| P0 | Replace `v-html` with `v-text` or `{{ }}` interpolation (auto-escapes HTML) |\n| P0 | HTML entity encode the `filter` value at rendering point |\n| P1 | Replace denylist with DOMPurify strict allowlist or eliminate HTML rendering of filter values |\n| P1 | Deploy CSP with `form-action \u0027self\u0027` |\n| P2 | Server-side input validation \u2014 reject filter values not matching expected syntax |\n\n## References\n\n- Vikunja Repository: https://github.com/go-vikunja/vikunja\n- CWE-79: https://cwe.mitre.org/data/definitions/79.html\n- CWE-80: https://cwe.mitre.org/data/definitions/80.html\n- OWASP XSS Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Scripting_Prevention_Cheat_Sheet.html\n\n## Conclusion\n\nThe `filter` parameter in Vikunja\u0027s Projects module renders unsanitized HTML into the DOM, enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. The attack requires only routine workflow actions \u2014 opening a shared link and clicking \"Filter.\" The fix is a single-line change: replacing `v-html` with `v-text` in the Vue.js rendering logic. Given Vikunja\u0027s adoption (3,300+ stars), self-hosted deployment model, and API credential equivalence, this warrants prompt remediation.\n\n\u003cimg width=\"1920\" height=\"1020\" alt=\"image\" src=\"https://github.com/user-attachments/assets/007f9b1a-fd20-4fe8-84e5-1bf886a5a7a9\" /\u003e\n\nA fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.0.0.",
"id": "GHSA-4qgr-4h56-8895",
"modified": "2026-02-27T21:50:55Z",
"published": "2026-02-25T22:01:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27116"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/commit/a42b4f37bde58596a3b69482cd5a67641a94f62d"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-vikunja/vikunja"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.0.0"
},
{
"type": "WEB",
"url": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module"
}
GHSA-52VW-WFF4-8W2J
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:01LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1.
{
"affected": [],
"aliases": [
"CVE-2019-9853"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-27T16:15:00Z",
"severity": "HIGH"
},
"details": "LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1.",
"id": "GHSA-52vw-wff4-8w2j",
"modified": "2024-04-04T02:01:06Z",
"published": "2022-05-24T16:57:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9853"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/19c917f7c8a0d8f62142046fabfe3e2c7d6091ef1f92b99c6e79e24e%40%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/27339e8a9a1e9bb47fbdb939b338256d0356250a1974aaf4d774f683%40%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/306a374361891eb17c6cffc99c3d7be1d3152a99c839d4231edc1631%40%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/3a5570ca5cd14ad08e24684c71cfeff3a507f108fe3cf30ba4f58226%40%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/4ae0e6e52600f408d943ded079d314733ce188b04b04471464f89c4f%40%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/70da9481dca267405e1d79e53942264765ef3f55c9a563c3737e3926%40%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/7394e6b5f78a878bd0c44e9bc9adf90b8cdf49e9adc0f287145aba9b%40%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/9dc85d9937ad7f101047c53f78c00e8ceb135eaeff7dcf4724b46f2c%40%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/a5231ad45b030b54828c7b0b62a7e7d4b48481c7cb83ff628e07fa43%40%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/a540d1b6f9a7ebb206adba02839f654a6ee63a7b0976f559a847e49a%40%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ca216900abd846f0220fe18b95f9f787bdbe0e87fa4eee822073cd69%40%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQGBRSD73KTDZ2MPAOL7FBWO3SQVYE5B"
},
{
"type": "WEB",
"url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00040.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156474/Open-Xchange-App-Suite-Documents-Server-Side-Request-Forgery.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Feb/23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-545F-PGP7-FWJF
Vulnerability from github – Published: 2022-05-17 00:00 – Updated: 2022-06-01 21:14An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.craftercms:craftercms"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23266"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-01T21:14:49Z",
"nvd_published_at": "2022-05-16T17:15:00Z",
"severity": "MODERATE"
},
"details": "An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.",
"id": "GHSA-545f-pgp7-fwjf",
"modified": "2022-06-01T21:14:49Z",
"published": "2022-05-17T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23266"
},
{
"type": "WEB",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Log value insertion in craftercms"
}
GHSA-54Q6-7P8P-RGQR
Vulnerability from github – Published: 2022-01-25 00:00 – Updated: 2022-07-13 00:01An issue was discovered in COINS Construction Cloud 11.12. Due to improper validation of user-controlled HTTP headers, attackers can cause it to send password-reset e-mails pointing to arbitrary websites.
{
"affected": [],
"aliases": [
"CVE-2021-45226"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-24T20:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in COINS Construction Cloud 11.12. Due to improper validation of user-controlled HTTP headers, attackers can cause it to send password-reset e-mails pointing to arbitrary websites.",
"id": "GHSA-54q6-7p8p-rgqr",
"modified": "2022-07-13T00:01:50Z",
"published": "2022-01-25T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45226"
},
{
"type": "WEB",
"url": "https://appsource.microsoft.com/en-us/product/web-apps/constructionindustrysolutionslimited-5057232.coinsconstructioncloud?tab=overview"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-051.txt"
},
{
"type": "WEB",
"url": "https://www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-construction-cloud-erp-syss-2021-028/-029/-030/-031/-051/-052/-053"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-555P-HVWP-MH56
Vulnerability from github – Published: 2023-10-22 06:30 – Updated: 2024-04-04 08:52iTerm2 before 3.4.20 allow (potentially remote) code execution because of mishandling of certain escape sequences related to upload.
{
"affected": [],
"aliases": [
"CVE-2023-46301"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-22T04:15:09Z",
"severity": "CRITICAL"
},
"details": "iTerm2 before 3.4.20 allow (potentially remote) code execution because of mishandling of certain escape sequences related to upload.",
"id": "GHSA-555p-hvwp-mh56",
"modified": "2024-04-04T08:52:42Z",
"published": "2023-10-22T06:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46301"
},
{
"type": "WEB",
"url": "https://github.com/gnachman/iTerm2/commit/85cbf5ebda472c9ec295887e99c2b6f1b5867f1b"
},
{
"type": "WEB",
"url": "https://github.com/gnachman/iTerm2/commit/b2268b03b5f3d4cd8ca275eaef5d16d0fac20009"
},
{
"type": "WEB",
"url": "https://blog.solidsnail.com/posts/2023-08-28-iterm2-rce"
},
{
"type": "WEB",
"url": "https://iterm2.com/news.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-56XQ-39JP-P7R8
Vulnerability from github – Published: 2022-12-12 09:30 – Updated: 2022-12-13 18:30IBM API Connect V10.0.0.0 through V10.0.5.0, V10.0.1.0 through V10.0.1.7, and V2018.4.1.0 through 2018.4.1.19 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 213212.
{
"affected": [],
"aliases": [
"CVE-2021-38997"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T09:15:00Z",
"severity": "MODERATE"
},
"details": "IBM API Connect V10.0.0.0 through V10.0.5.0, V10.0.1.0 through V10.0.1.7, and V2018.4.1.0 through 2018.4.1.19 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 213212.",
"id": "GHSA-56xq-39jp-p7r8",
"modified": "2022-12-13T18:30:26Z",
"published": "2022-12-12T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38997"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/213212"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6842621"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-59F9-39VX-2R92
Vulnerability from github – Published: 2024-07-15 03:30 – Updated: 2024-07-15 03:30IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 296003.
{
"affected": [],
"aliases": [
"CVE-2024-39736"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-644"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-15T02:15:05Z",
"severity": "MODERATE"
},
"details": "IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 296003.",
"id": "GHSA-59f9-39vx-2r92",
"modified": "2024-07-15T03:30:58Z",
"published": "2024-07-15T03:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39736"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/296003"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7160185"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-4.3
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
- Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
Mitigation MIT-27
Strategy: Parameterization
- If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
- For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Mitigation
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
Mitigation
In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.
Mitigation
Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
Mitigation
Fully specify which encodings are required by components that will be communicating with each other.
Mitigation
When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.