Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer.

This issue affects Apache Answer: through 2.0.0.

User-supplied content was included in notification emails without proper escaping, allowing authenticated users to inject arbitrary HTML into emails sent to other users.
Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Answer allows authenticated users to embed arbitrary HTML in email notifications. The application fails to neutralize script‑related tags before inserting user data, enabling the injection of malicious HTML content into outbound emails. When recipients view these emails, the embedded content can execute in their email client, potentially leading to data theft, credential compromise, or further phishing attacks. This flaw is a classic example of cross‑site scripting in an email context.

Affected Systems

Apache Software Foundation’s Apache Answer, affected versions up to and including 2.0.0. Users must verify their deployment version; the fix is available in 2.0.1 and later.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. The EPSS score is less than 1%, suggesting a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated to a target system and able to send notification emails, making the threat vector internal but still significant for organizations that rely on Apache Answer for user communications.

Generated by OpenCVE AI on June 9, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Answer to version 2.0.1 or later. This patch removes the vulnerability by properly escaping user‑supplied content in notification emails.
  • Configure the application to escape or strip all script‑related tags (e.g., <script>, <iframe>, <object>) before rendering user input in email bodies. This directly mitigates the CWE‑80 flaw.
  • Restrict notification emails to plain text or a strict whitelist of safe HTML tags, and enforce MIME type restrictions so that user‑supplied content cannot be delivered as executable HTML.

Generated by OpenCVE AI on June 9, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache answer
Vendors & Products Apache
Apache answer

Tue, 09 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. User-supplied content was included in notification emails without proper escaping, allowing authenticated users to inject arbitrary HTML into emails sent to other users. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Title Apache Answer: HTML Content Injection in Email
Weaknesses CWE-80
References

Subscriptions

Apache Answer
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-09T15:43:16.886Z

Reserved: 2026-03-25T13:41:23.508Z

Link: CVE-2026-34033

cve-icon Vulnrichment

Updated: 2026-06-09T09:07:35.387Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T09:16:29.420

Modified: 2026-06-09T17:17:04.420

Link: CVE-2026-34033

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T17:30:10Z

Weaknesses