CVE-2026-23768
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-01-16
Assigner: Naver Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| naver | lucy-xss-filter | to 2025-06-08 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23768 is a Server-Side Request Forgery (SSRF) vulnerability in the lucy-xss-filter library before commit 7c1de6d. It occurs when the ObjectSecurityListener or EmbedSecurityListener options are enabled and embed or object tags with a src attribute missing a file extension are used. The vulnerability allows an attacker to induce the server to make HTTP HEAD requests to arbitrary URLs, potentially attacker-controlled. This can lead to unauthorized internal network access and exposure of the server's Java version information via the USER-AGENT header in these requests. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to make your server send unauthorized HTTP HEAD requests to arbitrary URLs, including internal network resources. This can lead to unauthorized access to internal systems, potential exploitation of internal HTTP handlers that accept GET/HEAD requests, and leakage of sensitive server environment information such as the Java version, which can aid attackers in further attacks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unexpected outbound HTTP HEAD requests originating from the server running lucy-xss-filter, especially when the ObjectSecurityListener or EmbedSecurityListener options are enabled. One can observe network traffic for HEAD requests to unusual or attacker-controlled URLs. Additionally, reviewing server logs for such outbound requests or using network packet capture tools like tcpdump or Wireshark to filter for HTTP HEAD requests can help detect exploitation attempts. Example commands include: 1) Using tcpdump to capture HEAD requests: tcpdump -i <interface> 'tcp[tcpflags] & tcp-push != 0 and tcp[13] = 0x02' or more simply tcpdump -i <interface> 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' and filter for HEAD method in captured packets. 2) Using curl or custom scripts to test if the server issues HEAD requests when embedding object or embed tags with src attributes missing file extensions, as demonstrated in the proof-of-concept test code repository. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the ObjectSecurityListener and EmbedSecurityListener options in lucy-xss-filter if they are not essential, to prevent the vulnerable code path from executing. If these options must be enabled, update lucy-xss-filter to the fixed version merged on June 8, 2025, which avoids making HTTP requests for MIME type detection on untrusted URLs and instead uses a fixed MIME type value like application/octet-stream. This update prevents SSRF and Java version information leakage. Additionally, restrict outbound HTTP requests from the server to trusted destinations via firewall rules as a temporary measure. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how the CVE-2026-23768 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.