CVE-2016-10006

MEDIUM

OWASP AntiSamy < 1.5.5 - Cross-Site Scripting via Style Attribute Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-10006. PoCs published by shoucheng3, epicosy.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2016-10006, targeting the OWASP AntiSamy library. The exploit leverages a vulnerability in CSS handling to bypass input sanitization, potentially leading to XSS attacks.

Description

In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.

Exploits (2)

nomisec WORKING POC
by shoucheng3 · poc
https://github.com/shoucheng3/nahsra__antisamy_CVE-2016-10006_1-5-3

This repository contains a functional exploit PoC for CVE-2016-10006, targeting the OWASP AntiSamy library. The exploit leverages a vulnerability in CSS handling to bypass input sanitization, potentially leading to XSS attacks.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: OWASP AntiSamy 1.5.3
No auth needed
Prerequisites: Access to an application using OWASP AntiSamy for input sanitization
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by epicosy · poc
https://github.com/epicosy/VUL4J-60

This repository contains the source code for the OWASP AntiSamy library, which is a tool for sanitizing HTML and CSS input to prevent XSS attacks. The code includes various classes for CSS and HTML validation, but there is no explicit exploit code or proof-of-concept for CVE-2016-10006.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Theoretical
Target: OWASP AntiSamy (versions prior to fix for CVE-2016-10006)
No auth needed
Prerequisites: Access to an application using a vulnerable version of AntiSamy
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037532
Patch, Vendor Advisory x_refsource_confirm
https://github.com/nahsra/antisamy/issues/2
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/95101

Scores

CVSS v3 6.1
EPSS 0.0204
EPSS Percentile 78.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
antisamy_project/antisamy < 1.5.5
org.owasp.antisamy/antisamy 0 - 1.5.5Maven
Published Dec 24, 2016
Tracked Since Feb 18, 2026