CVE-2026-24824
Unknown Unknown - Not Provided
Cross-Site Scripting in YaCy Search Server Servlet Module

Publication date: 2026-01-27

Last updated on: 2026-01-27

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java. This issue affects yacy_search_server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-01-27
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24824
EUVD
EUVD-2026-4805
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yacy yacy_search_server to 2025-09-14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-site Scripting (XSS) issue in the YaCy search server, specifically in the sendDirectory() function of the YaCyDefaultServlet.java file. It occurs because the code improperly encodes directory paths by using URIUtil.addPaths instead of URIUtil.addEncodedPaths. This improper encoding allows special characters in input to be interpreted as executable code, enabling attackers to inject malicious scripts or perform path injection attacks. [1]

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of the affected web application, potentially leading to unauthorized actions such as stealing user data, session hijacking, or manipulating the web page content. It may also enable path injection attacks, which could compromise the server or expose sensitive information. [1]

Detection Guidance

This vulnerability can be detected by testing the web application for improper encoding of directory paths that may lead to cross-site scripting (XSS). Specifically, attempts to inject special characters or scripts into directory path parameters and observing if they are executed or improperly rendered can indicate the presence of the vulnerability. Since the issue involves improper encoding in the sendDirectory() function, you can use web application security testing tools or manual curl commands to send crafted requests with special characters in the path parameters and check the responses for unencoded or executable content. For example, using curl to send requests with encoded and unencoded special characters and analyzing the response for script execution or reflected input may help detect the issue. However, no specific commands are provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to update the yacy_search_server to the version that includes the fix where the code replaces `URIUtil.addPaths` with `URIUtil.addEncodedPaths` in the sendDirectory() function. This ensures proper encoding of special characters in directory paths, preventing XSS and path injection attacks. Applying this patch or upgrading to the fixed version merged on September 14, 2025, will mitigate the vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24824. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart