PYSEC-2026-1492

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/khoj/PYSEC-2026-1492.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1492
Aliases
Published
2026-07-07T14:34:39.002433Z
Modified
2026-07-07T17:46:46.013975103Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)
Details

Summary

The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS.

Details

The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS.

PoC

POST /api/automation?q=%22%3E%3C%2Ftextarea%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E

Impact

Stored XSS: image

Fix

  • Added a Content Security Policy to all config pages on the web client, including the automation page
  • Used DOM scripting to construct all components on the config pages, including the automation page
References

Affected packages

PyPI / khoj

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.15.0

Affected versions

1.*
1.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/khoj/PYSEC-2026-1492.yaml"