CVE-2026-23769
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-01-16
Assigner: Naver Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| naver | lucy-xss-filter | to 2025-06-09 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in lucy-xss-filter occurs because of improper sanitization due to misconfigured default superset rule files. It allows an attacker to execute malicious JavaScript, leading to a cross-site scripting (XSS) issue. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute malicious JavaScript in the context of a vulnerable application, potentially leading to unauthorized actions, data theft, session hijacking, or other malicious activities that compromise user security. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the lucy-xss-filter to include the enhanced superset rules that improve filtering of URI-valued attributes, especially for 'formaction' and 'action' attributes in form tags. This involves applying the fixes introduced in the pull request #32 merged on June 8, 2025, which strengthens the XSS filtering rules. Since the repository is archived and read-only as of June 9, 2025, ensure you use the latest patched version or apply the relevant rule updates manually if possible. [1]