CVE-2016-5394

MEDIUM LAB

Apache Sling XSS Protection API < 1.0.12 - Cross-Site Scripting via encodeForJSString Method

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-5394. PoCs published by shoucheng3, epicosy.

AI-analyzed exploit summary This repository contains the source code for the Apache Sling XSS Bundle, which includes the vulnerable code for CVE-2016-5394. The code demonstrates the XSS protection mechanisms and their implementation, but does not include a functional exploit or PoC.

Description

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

Exploits (2)

nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/apache__sling-org-apache-sling-xss_CVE-2016-5394_1-0-8

This repository contains the source code for the Apache Sling XSS Bundle, which includes the vulnerable code for CVE-2016-5394. The code demonstrates the XSS protection mechanisms and their implementation, but does not include a functional exploit or PoC.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Theoretical
Target: Apache Sling XSS Bundle
No auth needed
Prerequisites: Access to a vulnerable Apache Sling instance
MITRE ATT&CK
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by epicosy · poc
https://github.com/epicosy/VUL4J-23

The repository contains only API source files and a Travis CI configuration, with no exploit code or technical analysis related to CVE-2016-5394. It appears to be a partial or incomplete snapshot of the Apache Sling project.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Apache Sling
No auth needed
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99870

Scores

CVSS v3 6.1
EPSS 0.0260
EPSS Percentile 83.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (4)
apache/sling < 1.0.12
Apache Software Foundation/Apache Sling prior to 1.0.12
org.apache.sling/org.apache.sling.xss 0 - 1.0.12Maven
org.apache.sling/org.apache.sling.xss.compat 0 - 1.1.0Maven
Published Jul 19, 2017
Tracked Since Feb 18, 2026