PYSEC-2026-1253

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/ckan/PYSEC-2026-1253.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1253
Aliases
Published
2026-07-07T14:34:39.171194Z
Modified
2026-07-07T17:47:25.985929402Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
  • 6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
Summary
CKAN has Cross-site Scripting vector in the Datatables view plugin
Details

The Datatables view plugin did not properly escape record data coming from the DataStore, leading to a potential XSS vector.

Impact

Sites running CKAN >= 2.7.0 with the datatables_view plugin activated. This is a plugin included in CKAN core, that not activated by default but it is widely used to preview tabular data.

Patches

This vulnerability has been fixed in CKAN 2.10.5 and 2.11.0

Workarounds

Prevent importing of tabular files to the DataStore via DataPusher, XLoader,etc, at least those published from untrusted sources.

References

Affected packages

PyPI / ckan

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.10.5

Affected versions

2.*
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.8.12
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.9.10
2.9.11
2.10.0
2.10.1
2.10.3
2.10.4

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/ckan/PYSEC-2026-1253.yaml"