CVE-2026-24824
Cross-Site Scripting in YaCy Search Server Servlet Module
Publication date: 2026-01-27
Last updated on: 2026-01-27
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yacy | yacy_search_server | to 2025-09-14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-site Scripting (XSS) issue in the YaCy search server, specifically in the sendDirectory() function of the YaCyDefaultServlet.java file. It occurs because the code improperly encodes directory paths by using URIUtil.addPaths instead of URIUtil.addEncodedPaths. This improper encoding allows special characters in input to be interpreted as executable code, enabling attackers to inject malicious scripts or perform path injection attacks. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of the affected web application, potentially leading to unauthorized actions such as stealing user data, session hijacking, or manipulating the web page content. It may also enable path injection attacks, which could compromise the server or expose sensitive information. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the web application for improper encoding of directory paths that may lead to cross-site scripting (XSS). Specifically, attempts to inject special characters or scripts into directory path parameters and observing if they are executed or improperly rendered can indicate the presence of the vulnerability. Since the issue involves improper encoding in the sendDirectory() function, you can use web application security testing tools or manual curl commands to send crafted requests with special characters in the path parameters and check the responses for unencoded or executable content. For example, using curl to send requests with encoded and unencoded special characters and analyzing the response for script execution or reflected input may help detect the issue. However, no specific commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the yacy_search_server to the version that includes the fix where the code replaces `URIUtil.addPaths` with `URIUtil.addEncodedPaths` in the sendDirectory() function. This ensures proper encoding of special characters in directory paths, preventing XSS and path injection attacks. Applying this patch or upgrading to the fixed version merged on September 14, 2025, will mitigate the vulnerability. [1]