{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24824", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T08:59:05.366Z", "datePublished": "2026-01-27T09:01:06.551Z", "dateUpdated": "2026-01-27T16:58:24.836Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/yacy/yacy_search_server", "defaultStatus": "affected", "modules": ["source/net/yacy/http/servlets"], "product": "yacy_search_server", "programFiles": ["YaCyDefaultServlet.java"], "vendor": "yacy", "versions": [{"lessThanOrEqual": "1.92", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules).<p> This vulnerability is associated with program files <tt>YaCyDefaultServlet.Java</tt>.</p><p>This issue affects yacy_search_server.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java.\n\nThis issue affects yacy_search_server."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:Y/R:U/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T09:01:06.551Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/yacy/yacy_search_server/pull/722"}], "source": {"discovery": "UNKNOWN"}, "title": "A XSS in yacy/yacy_search_server", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T16:58:16.857470Z", "id": "CVE-2026-24824", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T16:58:24.836Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24824", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T16:58:16.857470Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T16:58:21.240Z"}}], "cna": {"title": "A XSS in yacy/yacy_search_server", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 6.9, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:Y/R:U/V:D/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "yacy", "modules": ["source/net/yacy/http/servlets"], "product": "yacy_search_server", "versions": [{"status": "affected", "version": "0", "versionType": "git", "lessThanOrEqual": "1.92"}], "programFiles": ["YaCyDefaultServlet.java"], "collectionURL": "https://github.com/yacy/yacy_search_server", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/yacy/yacy_search_server/pull/722", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java.\n\nThis issue affects yacy_search_server.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules).<p> This vulnerability is associated with program files <tt>YaCyDefaultServlet.Java</tt>.</p><p>This issue affects yacy_search_server.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T09:01:06.551Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24824", "state": "PUBLISHED", "dateUpdated": "2026-01-27T16:58:24.836Z", "dateReserved": "2026-01-27T08:59:05.366Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-01-27T09:01:06.551Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java.\n\nThis issue affects yacy_search_server."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n Inadecuada de Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web (XSS o 'cross-site scripting') en yacy yacy_search_server (m\u00f3dulos source/net/yacy/HTTP/servlets). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa YaCyDefaultServlet.Java.\n\nEste problema afecta a yacy_search_server."}], "id": "CVE-2026-24824", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T09:15:53.203", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/yacy/yacy_search_server/pull/722"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:47:42.552826+00:00", "value": {"mitigation_remediation": ["Apply the latest version of yacy_search_server that addresses the XSS issue.", "If an update is not immediately available, use a web application firewall rule or reverse\u2011proxy configuration that sanitizes or blocks user\u2011controlled input before it reaches the servlet.", "Ensure that all user\u2011supplied data is properly escaped when rendering HTML, following the recommendations for mitigating CWE\u201179."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011site scripting that can enable session hijacking or defacement"}, "threat_synthesis": {"affected_systems": "The affected product is the yacy_search_server component of the yacy project. No specific version information is noted in the CVE entry, so any deployment of this component could be affected unless a later release has applied the fix.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation in yacy_search_server. An attacker can inject malicious JavaScript through HTTP requests, causing a web browser to execute that script in the context of an authenticated user. This can lead to theft of session cookies, unauthorized actions, or defacement of the site. The weakness is a classic input\u2011validation flaw described by CWE\u201179.", "risk_and_exploitability": "Based on the description, the likely attack vector is remote via HTTP requests to the YaCyDefaultServlet. The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% shows a very low probability of being seen in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. The exploitation path relies on remote input via web requests to the YaCyDefaultServlet. Successful exploitation requires that the attacker can deliver crafted requests to the vulnerable server, which is generally available over the public internet."}}}}, "created": "2026-01-27T20:17:05.326949+00:00", "updated": "2026-04-18T19:00:08.023960+00:00", "vendors": ["yacy", "yacy$PRODUCT$yacy_search_server"]}