Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java.

This issue affects yacy_search_server.
Published: 2026-01-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that can enable session hijacking or defacement
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation in yacy_search_server. An attacker can inject malicious JavaScript through HTTP requests, causing a web browser to execute that script in the context of an authenticated user. This can lead to theft of session cookies, unauthorized actions, or defacement of the site. The weakness is a classic input‑validation flaw described by CWE‑79.

Affected Systems

The affected product is the yacy_search_server component of the yacy project. No specific version information is noted in the CVE entry, so any deployment of this component could be affected unless a later release has applied the fix.

Risk and Exploitability

Based on the description, the likely attack vector is remote via HTTP requests to the YaCyDefaultServlet. The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% shows a very low probability of being seen in the wild. The vulnerability is not listed in CISA’s KEV catalog. The exploitation path relies on remote input via web requests to the YaCyDefaultServlet. Successful exploitation requires that the attacker can deliver crafted requests to the vulnerable server, which is generally available over the public internet.

Generated by OpenCVE AI on April 18, 2026 at 18:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of yacy_search_server that addresses the XSS issue.
  • If an update is not immediately available, use a web application firewall rule or reverse‑proxy configuration that sanitizes or blocks user‑controlled input before it reaches the servlet.
  • Ensure that all user‑supplied data is properly escaped when rendering HTML, following the recommendations for mitigating CWE‑79.

Generated by OpenCVE AI on April 18, 2026 at 18:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Yacy
Yacy yacy Search Server
Vendors & Products Yacy
Yacy yacy Search Server

Tue, 27 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java. This issue affects yacy_search_server.
Title A XSS in yacy/yacy_search_server
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:Y/R:U/V:D/RE:M/U:Amber'}

Subscriptions

Yacy Yacy Search Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T16:58:24.836Z

Reserved: 2026-01-27T08:59:05.366Z

Link: CVE-2026-24824

cve-icon Vulnrichment

Updated: 2026-01-27T16:58:21.240Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:53.203

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses