CVE-2023-26123
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-26123
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26123.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-26123
- Published
- 2023-04-14T05:15:13.867Z
- Modified
- 2025-12-12T14:35:51.635138Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Versions of the package raysan5/raylib before 4.5.0 are vulnerable to Cross-site Scripting (XSS) such that the SetClipboardText API does not properly escape the ' character, allowing attacker-controlled input to break out of the string and execute arbitrary JavaScript via emscriptenrunscript function.
Note: This vulnerability is present only when compiling raylib for PLATFORM_WEB. All the other Desktop/Mobile/Embedded platforms are not affected.
- References
Affected packages
Git / github.com/raysan5/raylib
Affected ranges
- Type
- GIT
- Repo
- https://github.com/raysan5/raylib
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
1.*
1.0.4
1.0.6
1.1.1
1.2.2
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.9.4-dev
1.9.7-dev
2.*
2.0.0
2.5.0
2.6.0
3.*
3.0.0
3.5.0
3.7.0
4.*
4.0.0
4.2.0
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"source": "https://github.com/raysan5/raylib/commit/b436c8d7e5346a241b00511a11585936895d959d",
"id": "CVE-2023-26123-4e2496b3",
"deprecated": false,
"target": {
"file": "src/rcore.c",
"function": "SetClipboardText"
},
"signature_type": "Function",
"digest": {
"function_hash": "41329347419734723558561420860892878095",
"length": 236.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/raysan5/raylib/commit/b436c8d7e5346a241b00511a11585936895d959d",
"id": "CVE-2023-26123-537dc9fb",
"deprecated": false,
"target": {
"file": "src/rcore.c",
"function": "TakeScreenshot"
},
"signature_type": "Function",
"digest": {
"function_hash": "95396039044598347856998703457630442817",
"length": 936.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/raysan5/raylib/commit/b436c8d7e5346a241b00511a11585936895d959d",
"id": "CVE-2023-26123-550b2626",
"deprecated": false,
"target": {
"file": "src/rcore.c",
"function": "GetClipboardText"
},
"signature_type": "Function",
"digest": {
"function_hash": "110317313863018853267168855357997188970",
"length": 443.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/raysan5/raylib/commit/b436c8d7e5346a241b00511a11585936895d959d",
"id": "CVE-2023-26123-99fbe797",
"deprecated": false,
"target": {
"file": "src/rcore.c",
"function": "OpenURL"
},
"signature_type": "Function",
"digest": {
"function_hash": "164148737505169253054324280564101103151",
"length": 2054.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/raysan5/raylib/commit/b436c8d7e5346a241b00511a11585936895d959d",
"id": "CVE-2023-26123-fc8318f7",
"deprecated": false,
"target": {
"file": "src/rcore.c"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"32934586593772336908919964766218732816",
"292577221545442391438029834382652359261",
"12187908305032152799688219310076510328",
"86207086325609686174765683039731179257",
"118181487026220434735613591773537399492",
"231972655437726168945768662483965489761",
"101042589994435688174658729297630513762",
"102315135139518680777821178792686834151",
"223632566967923960062951305016844513338",
"82460867418613074251510485276858101925",
"307409158455207886195930030106246530693",
"251283521399508748766556159128238157277",
"103526175660519447404867082149257442793",
"130304515847310512332484270596228411030",
"38670544352147231526459958535618144686",
"158392275212931370213822783197556741617",
"163693579294237792067088239457645805823",
"158233148284383865134124550249426916381",
"65436264917782824156953891376843276347",
"158376806962760377084192736201878689657",
"70371060100029468243395863517459848280"
]
}
}
]