GHSA-qxh9-qmf2-rhwc

Source

https://github.com/advisories/GHSA-qxh9-qmf2-rhwc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-qxh9-qmf2-rhwc/GHSA-qxh9-qmf2-rhwc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qxh9-qmf2-rhwc

Aliases

CVE-2025-53865
PYSEC-2025-69

Published

2025-07-13T21:30:31Z

Modified

2025-07-14T21:12:05.389708Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Roundup is vulnerable to XSS through interactions between URLs and issue tracker templates

Details

In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2025-07-13T20:15:25Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2025-07-14T20:53:48Z"
}

References

Affected packages

PyPI / roundup

Package

Name: roundup; View open source insights on deps.dev
Purl: pkg:pypi/roundup

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.0

Affected versions

0.*

0.5.9

0.6.8

0.6.9

0.6.11

0.7.0b3

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.7

0.7.8

0.7.9

0.7.11

0.7.12

0.8.0b1

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.9.0b1

1.*

1.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5.1

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.4.15

1.4.16

1.4.17

1.4.18

1.4.19

1.4.20

1.4.21

1.5.0

1.5.1

1.6.0

1.6.1

2.*

2.0.0alpha0

2.0.0beta0

2.0.0

2.1.0b1

2.1.0

2.2.0b1

2.2.0

2.3.0b2

2.3.0

2.4.0b1

2.4.0b2

2.4.0

2.5.0b1