CVE-2026-1466 (GCVE-0-2026-1466)

Vulnerability from cvelistv5 – Published: 2026-01-28 06:33 – Updated: 2026-01-28 20:48
VLAI
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Jirafeau
Summary
Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Impacted products
Vendor Product Version
Jirafeau project Jirafeau Affected: 0 , < 4.7.1 (semver)
Create a notification for this product.
Credits
Yann Cam, Killian Chevrier, Patrick Canterino
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1466",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T20:48:10.333121Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T20:48:25.368Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jirafeau",
          "vendor": "Jirafeau project",
          "versions": [
            {
              "lessThan": "4.7.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yann Cam, Killian Chevrier, Patrick Canterino"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T06:33:15.181Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "url": "https://gitlab.com/jirafeau/Jirafeau/-/commit/747afb20bfcff14bb67e40e7035d47a6311ba3e1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30110"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-12326"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-7066"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to version 4.7.1"
        }
      ],
      "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Jirafeau"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2026-1466",
    "datePublished": "2026-01-28T06:33:15.181Z",
    "dateReserved": "2026-01-27T08:04:12.765Z",
    "dateUpdated": "2026-01-28T20:48:25.368Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-1466",
      "date": "2026-07-02",
      "epss": "0.00287",
      "percentile": "0.20458"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-1466\",\"sourceIdentifier\":\"cve@gitlab.com\",\"published\":\"2026-01-28T07:16:01.087\",\"lastModified\":\"2026-06-17T10:15:50.523\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff.\"},{\"lang\":\"es\",\"value\":\"Jirafeau normalmente impide la previsualizaci\u00f3n del navegador para archivos de texto debido a la posibilidad de que, por ejemplo, documentos SVG y HTML pudieran ser explotados para cross-site scripting. Esto se hac\u00eda almacenando el tipo MIME de un archivo y permitiendo solo la previsualizaci\u00f3n del navegador para tipos MIME que comienzan con \u0027image\u0027 (excepto para \u0027image/svg+xml\u0027, ver CVE-2022-30110, CVE-2024-12326 y CVE-2025-7066), video y audio. Sin embargo, era posible eludir esta comprobaci\u00f3n enviando una solicitud HTTP manipulada con un tipo MIME inv\u00e1lido como \u0027image\u0027. Al realizar la previsualizaci\u00f3n, el navegador intenta detectar autom\u00e1ticamente el tipo MIME, lo que resulta en la detecci\u00f3n de SVG y posiblemente la ejecuci\u00f3n de c\u00f3digo JavaScript. Para evitar esto, el MIME sniffing est\u00e1 deshabilitado enviando la cabecera HTTP X-Content-Type-Options: nosniff.\"}],\"affected\":[{\"source\":\"cve@gitlab.com\",\"affectedData\":[{\"vendor\":\"Jirafeau project\",\"product\":\"Jirafeau\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"4.7.1\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-28T20:48:10.333121Z\",\"id\":\"CVE-2026-1466\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jirafeau:jirafeau:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.7.1\",\"matchCriteriaId\":\"91A060C5-0315-4252-B822-BDA2D030277B\"}]}]}],\"references\":[{\"url\":\"https://gitlab.com/jirafeau/Jirafeau/-/commit/747afb20bfcff14bb67e40e7035d47a6311ba3e1\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2022-30110\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2024-12326\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2025-7066\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Not Applicable\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-1466\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-28T20:48:10.333121Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-28T20:48:14.097Z\"}}], \"cna\": {\"title\": \"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Jirafeau\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Yann Cam, Killian Chevrier, Patrick Canterino\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Jirafeau project\", \"product\": \"Jirafeau\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.7.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to version 4.7.1\"}], \"references\": [{\"url\": \"https://gitlab.com/jirafeau/Jirafeau/-/commit/747afb20bfcff14bb67e40e7035d47a6311ba3e1\"}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2022-30110\"}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-12326\"}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2025-7066\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"ceab7361-8a18-47b1-92ba-4d7d25f6715a\", \"shortName\": \"GitLab\", \"dateUpdated\": \"2026-01-28T06:33:15.181Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-1466\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-28T20:48:25.368Z\", \"dateReserved\": \"2026-01-27T08:04:12.765Z\", \"assignerOrgId\": \"ceab7361-8a18-47b1-92ba-4d7d25f6715a\", \"datePublished\": \"2026-01-28T06:33:15.181Z\", \"assignerShortName\": \"GitLab\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…