Description
AIL framework is an open-source platform to collect, crawl, process and analyse unstructured data. Prior to 6.8, a stored cross-site scripting (XSS) vulnerability was identified in the modal item preview functionality. When item content longer than 800 characters was processed, attacker-controlled content was returned without an explicit text/plain content type, allowing the browser to interpret the response as active HTML. This could result in execution of arbitrary JavaScript in the context of an authenticated user viewing a crafted item. This vulnerability is fixed in 6.8.
Published: 2026-04-08
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS enabling arbitrary JavaScript execution in an authenticated user’s browser
Action: Apply Patch
AI Analysis

Impact

A vulnerability was discovered in the AIL Framework’s modal item preview feature that allows an attacker to embed malicious JavaScript in stored item content longer than 800 characters. Because the response was sent without a strict text/plain content‑type, the browser interprets it as active HTML, allowing the attacker to run arbitrary code within the context of any authenticated user who views the crafted item. The flaw is a classic stored cross‑site scripting weakness (CWE‑79).

Affected Systems

The issue affects AIL Framework prior to version 6.8. Users running earlier releases of the open‑source platform are at risk, as the bug resides in the core preview rendering logic of the project named ail-framework, maintained by ail‑project.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.5, indicating high severity, and is not listed in the CISA Known Exploited Vulnerabilities catalog. EPSS data is unavailable, so the current exploit probability cannot be quantified. An attacker would need to supply content over 800 characters that contains malicious scripting and have an authenticated user retrieve that content via the preview modal, a scenario that is feasible in a web application context. The scope of impact extends to data confidentiality and integrity for any authenticated user who views the compromised item.

Generated by OpenCVE AI on April 8, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AIL Framework version 6.8 or later where the issue is fixed.
  • Verify that the preview functionality no longer outputs unsanitized HTML for items exceeding 800 characters.
  • Consider enforcing a content‑type header of text/plain for all preview responses or validating/limiting item content length in the application to prevent future occurrences.

Generated by OpenCVE AI on April 8, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Ail-project
Ail-project ail-framework
Vendors & Products Ail-project
Ail-project ail-framework

Wed, 08 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description AIL framework is an open-source platform to collect, crawl, process and analyse unstructured data. Prior to 6.8, a stored cross-site scripting (XSS) vulnerability was identified in the modal item preview functionality. When item content longer than 800 characters was processed, attacker-controlled content was returned without an explicit text/plain content type, allowing the browser to interpret the response as active HTML. This could result in execution of arbitrary JavaScript in the context of an authenticated user viewing a crafted item. This vulnerability is fixed in 6.8.
Title Stored XSS in modal item preview for long item content in AIL Framework
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Amber'}

Subscriptions

Ail-project Ail-framework
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T20:11:03.757Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39416

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T21:16:59.167

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39416

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:26Z

Weaknesses