Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.

This issue affects Apache SkyWalking: <= 10.2.0.

Users are recommended to upgrade to version 10.3.0, which fixes the issue.
Published: 2025-11-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Immediate Patch
AI Analysis

Impact

Apache SkyWalking is vulnerable to an Improper Neutralization of Script‑Related HTML Tags in a Web Page, allowing stored Cross‑Site Scripting (XSS). Malicious code can be uploaded, saved, and later rendered in the user interface, enabling an attacker to create defacement pages, steal session cookies, or perform session hijacking. The weakness falls under CWE‑80 and can compromise the confidentiality and integrity of data viewed by any authenticated or unauthenticated user who loads the impacted page.

Affected Systems

Apache Software Foundation’s Apache SkyWalking, versions up to and including 10.2.0, is affected by this stored XSS flaw. Upgrading to version 10.3.0 removes the vulnerability.

Risk and Exploitability

The CVSS score of 6.1 classifies the vulnerability as moderate severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely remote, leveraging web input fields that store user data without proper output encoding. While the risk is not exceptionally high, the impact of successful exploitation could undermine session security and user trust.

Generated by OpenCVE AI on April 20, 2026 at 16:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache SkyWalking to version 10.3.0 or later
  • Sanitize all user‑controlled input by escaping or removing script‑related tags before storage
  • Implement a Content Security Policy that limits the execution of inline scripts

Generated by OpenCVE AI on April 20, 2026 at 16:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v6x2-4q87-rf82 Apache SkyWalking has a stored XSS vulnerability
History

Mon, 13 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Dec 2025 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:skywalking:*:*:*:*:*:*:*:*

Fri, 28 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Nov 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache skywalking
Vendors & Products Apache
Apache skywalking

Thu, 27 Nov 2025 13:30:00 +0000

Type Values Removed Values Added
References

Thu, 27 Nov 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking. This issue affects Apache SkyWalking: <= 10.2.0. Users are recommended to upgrade to version 10.3.0, which fixes the issue.
Title Apache SkyWalking: Stored XSS vulnerability
Weaknesses CWE-80
References

Subscriptions

Apache Skywalking
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-13T15:29:56.169Z

Reserved: 2025-07-16T11:09:55.585Z

Link: CVE-2025-54057

cve-icon Vulnrichment

Updated: 2026-04-13T15:29:56.169Z

cve-icon NVD

Status : Modified

Published: 2025-11-27T12:15:47.253

Modified: 2026-04-13T16:16:24.293

Link: CVE-2025-54057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses