Description
An authenticated user can perform XSS.

This issue affects Apache Atlas versions 2.4.0 and earlier.

Users are recommended to upgrade to version 2.5.0, which fixes the issue.
Published: 2026-06-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can inject and store malicious scripts through the Create Entity page in Apache Atlas. The stored payload is executed whenever any user subsequently loads the affected page, potentially enabling session hijacking, credential theft, or defacement. This is a classic Stored Cross‑Site Scripting flaw identified as CWE‑80.

Affected Systems

The flaw exists in Apache Atlas versions 2.4.0 and earlier, distributed by the Apache Software Foundation. Users of these releases should upgrade to 2.5.0 or later to eliminate the vulnerability.

Risk and Exploitability

Because the vulnerability requires valid authenticated access to the web interface, the probability of exploitation depends on the attacker's ability to compromise user credentials. The CVSS score of 5.4 indicates a moderate severity, and no EPSS score is available. The issue is not listed in CISA KEV, but the potential impact of script execution across affected users warrants prompt remediation.

Generated by OpenCVE AI on June 22, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Atlas to version 2.5.0 or later
  • If upgrade is delayed, restrict or remove access to the Create Entity page for non‑administrator users
  • Implement server‑side input sanitization for form fields to neutralize injected scripts

Generated by OpenCVE AI on June 22, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache atlas
Vendors & Products Apache
Apache atlas

Mon, 22 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to version 2.5.0, which fixes the issue.
Title Apache Atlas: Stored XSS in Create Entity page
Weaknesses CWE-80
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T15:50:36.658Z

Reserved: 2025-10-08T19:44:39.189Z

Link: CVE-2025-62198

cve-icon Vulnrichment

Updated: 2026-06-22T08:01:16.131Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T17:30:04Z

Weaknesses
  • CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)