Description
Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer.

This issue affects Apache Answer: through 2.0.0.

AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed.
Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Published: 2026-06-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Alternate XSS Syntax issue in Apache Answer. AI-generated responses are rendered in the browser without proper sanitization, allowing a malicious script to run in the victim’s browser. This can lead to client‑side script execution, potentially facilitating credential theft, session hijacking, or other malicious actions. The weakness corresponds to CWE‑87, indicating an input validation flaw.

Affected Systems

Apache Software Foundation's Apache Answer is affected in all releases through version 2.0.0. Users should update to version 2.0.1 or later to receive the fix.

Risk and Exploitability

The CVSS score is 6.1, the EPSS score is < 1%, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the exploit requires the victim to view malicious content in a browser, so the attack vector relies on user interaction. While the EPSS score indicates low exploitation probability, the potential impact remains significant for users who frequently consume AI-generated answers, raising the risk from moderate to high.

Generated by OpenCVE AI on June 9, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official update to Apache Answer version 2.0.1 or later.
  • Configure the application to sanitize or escape all AI-generated answer content before rendering.
  • Deploy a Content Security Policy that blocks inline scripts and restricts script sources.

Generated by OpenCVE AI on June 9, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 09 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache answer
Vendors & Products Apache
Apache answer

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Title Apache Answer: XSS in AI Answer Rendering
Weaknesses CWE-87
References

Subscriptions

Apache Answer
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-09T14:56:41.862Z

Reserved: 2026-02-05T08:46:14.890Z

Link: CVE-2026-25688

cve-icon Vulnrichment

Updated: 2026-06-09T09:07:29.704Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T09:16:28.780

Modified: 2026-06-09T16:16:40.150

Link: CVE-2026-25688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T17:30:10Z

Weaknesses