Description
AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AntSword’s noxss() sanitization flaw allows an attacker to inject arbitrary code through the jquery.terminal interface, leading to a one‑click remote code execution. The vulnerability combines a classic input validation weakness (CWE‑79) with an improper sanitization error (CWE‑1188) and code‑execution contamination (CWE‑94), permitting commands to run with the privileges of the AntSword process.

Affected Systems

The cross‑platform AntSword website management toolkit is vulnerable in all releases prior to version 2.1.16. The flaw resides in the web console component that processes terminal commands; any deployment using an affected version and exposing the console can be compromised.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is considered high severity. The EPSS score is not publicly available, and it is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation so far. The likely attack vector is an authenticated user with access to the AntSword console, as the exploitation requires only a single click of an injected command; thus the risk of successful exploitation remains moderate to high for exposed or poorly secured deployments.

Generated by OpenCVE AI on May 12, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AntSword to version 2.1.16 or later to apply the noxss() sanitization fix
  • Restrict access to the AntSword terminal console to trusted administrators and enforce strong authentication policies
  • Monitor console logs for suspicious command activity to detect possible exploitation attempts

Generated by OpenCVE AI on May 12, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Antsword Project
Antsword Project antsword
Vendors & Products Antsword Project
Antsword Project antsword

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16.
Title AntSword: Incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection
Weaknesses CWE-1188
CWE-79
CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Antsword Project Antsword
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:10:20.899Z

Reserved: 2026-05-04T15:17:09.330Z

Link: CVE-2026-43892

cve-icon Vulnrichment

Updated: 2026-05-13T14:10:15.850Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T18:17:28.640

Modified: 2026-05-13T18:24:31.310

Link: CVE-2026-43892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:30:26Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')