CVE-2022-28367

MEDIUM

OWASP AntiSamy <1.6.6 - XSS

Title source: llm

Description

OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.

Exploits (1)

nomisec

by shoucheng3 · poc

https://github.com/shoucheng3/nahsra__antisamy_CVE-2022-28367_1-6-5

View on nomisec

References (2)

[Patch, Third Party Advisory] https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae

[Patch, Release Notes, Third Party Advisory] https://github.com/nahsra/antisamy/releases/tag/v1.6.6

Scores

CVSS v3 6.1

EPSS 0.0022

EPSS Percentile 44.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

antisamy_project/antisamy < 1.6.6

org.owasp.antisamy/antisamy 0 - 1.6.6Maven

Published Apr 21, 2022

Tracked Since Feb 18, 2026