PYSEC-2026-1905

Vulnerability from pysec - Published: 2026-07-07 11:45 - Updated: 2026-07-07 17:25
VLAI
Details

Summary

In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist.

Details

In the /license/ endpoint, the license_details_view function is vulnerable to a potential cross-site scripting (XSS) attack due to inadequate validation and sanitization of the key parameter. This vulnerability arises when attempting to access a key with malicious javascript.

def license_details_view(request, key):
    """
    Display all available information about a given license `key` followed by
    the full license text.
    """
    licenses = get_licenses()
    try:
        data = saneyaml.dump(licenses[key].to_dict())
        text = licenses[key].text
    except KeyError:
        return HttpResponseNotFound(f"License {key} not found.") # Leads to cross-site scripting when key is malicious javascript
    return HttpResponse(f"<pre>{data}</pre><hr><pre>{text}</pre>")

PoC

  1. Access following endpoint on scancode.io instance: http://localhost/license/%3Cscript%3Ealert(document.cookie);%3C/script%3E/

Impact

Attackers can exploit the vulnerability to inject malicious scripts into the response generated by the license_details_view function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information.

Impacted products
Name purl
scancodeio pkg:pypi/scancodeio

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scancodeio",
        "purl": "pkg:pypi/scancodeio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "32.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "32.0.1",
        "32.1.0",
        "32.2.0",
        "32.4.0",
        "32.5.0",
        "32.5.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40024",
    "GHSA-6xcx-gx7r-rccj"
  ],
  "details": "### Summary\nIn the `/license/` endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist.\n\n### Details\nIn the `/license/` endpoint, the `license_details_view` function is vulnerable to a potential cross-site scripting (XSS) attack due to inadequate validation and sanitization of the `key` parameter. This vulnerability arises when attempting to access a key with malicious javascript.\n\n```python\ndef license_details_view(request, key):\n    \"\"\"\n    Display all available information about a given license `key` followed by\n    the full license text.\n    \"\"\"\n    licenses = get_licenses()\n    try:\n        data = saneyaml.dump(licenses[key].to_dict())\n        text = licenses[key].text\n    except KeyError:\n        return HttpResponseNotFound(f\"License {key} not found.\") # Leads to cross-site scripting when key is malicious javascript\n    return HttpResponse(f\"\u003cpre\u003e{data}\u003c/pre\u003e\u003chr\u003e\u003cpre\u003e{text}\u003c/pre\u003e\")\n```\n\n\n### PoC\n1. Access following endpoint on scancode.io instance: http://localhost/license/%3Cscript%3Ealert(document.cookie);%3C/script%3E/\n\n### Impact\nAttackers can exploit the vulnerability to inject malicious scripts into the response generated by the `license_details_view` function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information.\n",
  "id": "PYSEC-2026-1905",
  "modified": "2026-07-07T17:25:21.767070Z",
  "published": "2026-07-07T11:45:22.677621Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nexB/scancode.io/security/advisories/GHSA-6xcx-gx7r-rccj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40024"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nexB/scancode.io"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nexB/scancode.io/blob/dd7769fbc97c84545579cebf1dc4838214098a11/CHANGELOG.rst#v3252-2023-08-14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nexB/scancode.io/releases/tag/v32.5.2"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/scancodeio"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-6xcx-gx7r-rccj"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Scancode.io Reflected Cross-Site Scripting (XSS) in license endpoint"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…