PYSEC-2026-2551

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/kiwitcms/PYSEC-2026-2551.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2551
Aliases
Published
2026-07-13T15:46:28.995169Z
Modified
2026-07-13T16:32:01.196495260Z
Severity
  • 0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N CVSS Calculator
Summary
Kiwi TCMS vulnerable to stored XSS via JavaScript: URI in extra_link field (TestPlan & TestCase)
Details

Summary

In Kiwi TCMS the fields TestCase.extra_link and TestPlan.extra_link were meant to represent URLs to external resources however in versions prior to 16.1 user input was not being sanitized and values were rendered verbatim which represents an opportunity for cross-site scripting exploitation. In version 16.1 these fields are properly sanitized and existing database records which don't validate will be reset to a null value.

Impact

Deployments which use the official Docker images and/or unmodified Kiwi TCMS middleware send a Content-Security-Policy header which makes this vulnerability difficult to exploit in practice because this header blocks the browser from executing inline JavaScript. Customized deployments which modify the default security settings may still be vulnerable.

References

Affected packages

PyPI / kiwitcms

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
12.4

Affected versions

6.*
6.2.1
6.3
6.4
6.5
6.5.3
6.6
6.7
6.8
6.9
6.10
6.11
7.*
7.0
7.1
7.2
7.2.1
7.3
8.*
8.0
8.1
8.1.99
8.2
8.3
8.4
8.5
8.6
8.6.1
8.7
8.8
8.9
9.*
9.0
9.999
10.*
10.0
10.1
10.2
10.3
10.3.999
10.4
10.5
11.*
11.0
11.1
11.3
11.4
11.5
11.6
11.7
12.*
12.0
12.1
12.2
12.3
12.4

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/kiwitcms/PYSEC-2026-2551.yaml"