Description
lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files.
Published: 2026-01-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (client‑side JavaScript execution)
Action: Patch Required
AI Analysis

Impact

The vulnerability in the Lucy XSS filter precedes commit e5826c0 and results from improper sanitization due to misconfigured default superset rule files. This flaw, identified as CWE‑79, allows an attacker to inject malicious JavaScript that will execute in the victim’s browser. Such cross‑site scripting can be leveraged for phishing, cookie theft, and active content manipulation, posing risks to user confidentiality and application integrity.

Affected Systems

Naver’s Lucy XSS filter, all versions released before commit e5826c0. The exact version range is not specified in the CVE data, so any instance of the filter that has not been updated to the fixed commit may be affected.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires the attacker to supply crafted input through a web form or HTTP request that is processed by the faulty XSS filter, taking advantage of the misconfigured superset rules to bypass sanitization.

Generated by OpenCVE AI on April 18, 2026 at 05:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch (commit e5826c0 or later) to the Lucy XSS filter.
  • Review and correctly configure the default superset rule files to ensure all script elements are properly filtered.
  • Validate the effectiveness of the XSS filter by testing it with known payloads or using automated XSS detection tools.

Generated by OpenCVE AI on April 18, 2026 at 05:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Title Improper Sanitization in Lucy XSS Filter Enables JavaScript Execution

Fri, 23 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:naver:lucy-xss-filter:*:*:*:*:*:*:*:*

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Naver
Naver lucy-xss-filter
Vendors & Products Naver
Naver lucy-xss-filter
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 05:30:00 +0000

Type Values Removed Values Added
Description lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files.
Weaknesses CWE-79
References

Subscriptions

Naver Lucy-xss-filter
cve-icon MITRE

Status: PUBLISHED

Assigner: naver

Published:

Updated: 2026-01-16T14:05:51.238Z

Reserved: 2026-01-16T05:06:27.870Z

Link: CVE-2026-23769

cve-icon Vulnrichment

Updated: 2026-01-16T14:05:37.411Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T06:15:51.483

Modified: 2026-01-23T17:19:04.873

Link: CVE-2026-23769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses