{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23769", "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6", "state": "PUBLISHED", "assignerShortName": "naver", "dateReserved": "2026-01-16T05:06:27.870Z", "datePublished": "2026-01-16T05:23:56.494Z", "dateUpdated": "2026-01-16T14:05:51.238Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "lucy-xss-filter", "repo": "https://github.com/naver/lucy-xss-filter", "vendor": "NAVER", "versions": [{"status": "unaffected", "version": "e5826c0d26b4f546955279767bbe94e5c7ed3f15", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Younghun Ko of AhnLab"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files.<br>"}], "value": "lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6", "shortName": "naver", "dateUpdated": "2026-01-16T05:33:30.508Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://cve.naver.com/detail/cve-2026-23769.html"}, {"tags": ["mitigation"], "url": "https://github.com/naver/lucy-xss-filter/pull/32"}], "source": {"discovery": "EXTERNAL"}, "tags": ["unsupported-when-assigned"], "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T14:05:44.631261Z", "id": "CVE-2026-23769", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:05:51.238Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23769", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T14:05:44.631261Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:05:37.411Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Younghun Ko of AhnLab"}], "affected": [{"repo": "https://github.com/naver/lucy-xss-filter", "vendor": "NAVER", "product": "lucy-xss-filter", "versions": [{"status": "unaffected", "version": "e5826c0d26b4f546955279767bbe94e5c7ed3f15", "versionType": "git"}], "defaultStatus": "affected"}], "references": [{"url": "https://cve.naver.com/detail/cve-2026-23769.html", "tags": ["vendor-advisory"]}, {"url": "https://github.com/naver/lucy-xss-filter/pull/32", "tags": ["mitigation"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files.", "supportingMedia": [{"type": "text/html", "value": "lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6", "shortName": "naver", "dateUpdated": "2026-01-16T05:33:30.508Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23769", "state": "PUBLISHED", "dateUpdated": "2026-01-16T14:05:51.238Z", "dateReserved": "2026-01-16T05:06:27.870Z", "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6", "datePublished": "2026-01-16T05:23:56.494Z", "assignerShortName": "naver"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:naver:lucy-xss-filter:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE152946-8B7E-490F-986A-D584F6CC5D4D", "versionEndExcluding": "2025-06-08", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@navercorp.com", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files."}], "id": "CVE-2026-23769", "lastModified": "2026-01-23T17:19:04.873", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-16T06:15:51.483", "references": [{"source": "cve@navercorp.com", "tags": ["Vendor Advisory"], "url": "https://cve.naver.com/detail/cve-2026-23769.html"}, {"source": "cve@navercorp.com", "tags": ["Patch"], "url": "https://github.com/naver/lucy-xss-filter/pull/32"}], "sourceIdentifier": "cve@navercorp.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@navercorp.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:49:45.143997+00:00", "value": {"mitigation_remediation": ["Apply the latest patch (commit e5826c0 or later) to the Lucy XSS filter.", "Review and correctly configure the default superset rule files to ensure all script elements are properly filtered.", "Validate the effectiveness of the XSS filter by testing it with known payloads or using automated XSS detection tools."], "summary": {"action": "Patch Required", "impact": "Cross\u2011Site Scripting (client\u2011side JavaScript execution)"}, "threat_synthesis": {"affected_systems": "Naver\u2019s Lucy XSS filter, all versions released before commit e5826c0. The exact version range is not specified in the CVE data, so any instance of the filter that has not been updated to the fixed commit may be affected.", "description_and_impact": "The vulnerability in the Lucy XSS filter precedes commit e5826c0 and results from improper sanitization due to misconfigured default superset rule files. This flaw, identified as CWE\u201179, allows an attacker to inject malicious JavaScript that will execute in the victim\u2019s browser. Such cross\u2011site scripting can be leveraged for phishing, cookie theft, and active content manipulation, posing risks to user confidentiality and application integrity.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires the attacker to supply crafted input through a web form or HTTP request that is processed by the faulty XSS filter, taking advantage of the misconfigured superset rules to bypass sanitization."}}}}, "created": "2026-01-16T13:41:53.560418+00:00", "title": "Improper Sanitization in Lucy XSS Filter Enables JavaScript Execution", "updated": "2026-04-18T06:00:08.486025+00:00", "vendors": ["naver", "naver$PRODUCT$lucy-xss-filter"]}