CVE-2022-29577

MEDIUM

OWASP AntiSamy < 1.6.7 - Cross-Site Scripting via HTML Tag Smuggling in STYLE Content

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-29577. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains a README file describing the AntiSamy library and its usage, including policy files and API examples. It does not include exploit code or a proof-of-concept for CVE-2022-29577.

Description

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.

Exploits (1)

nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/nahsra__antisamy_CVE-2022-29577_1-6-6-1

This repository contains a README file describing the AntiSamy library and its usage, including policy files and API examples. It does not include exploit code or a proof-of-concept for CVE-2022-29577.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: AntiSamy (version not specified)
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.1
EPSS 0.0024
EPSS Percentile 48.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (7)
antisamy_project/antisamy < 1.6.7
oracle/enterprise_manager_base_platform 13.4.0.0
oracle/enterprise_manager_base_platform 13.5.0.0
oracle/weblogic_server 12.2.1.3.0
oracle/weblogic_server 12.2.1.4.0
oracle/weblogic_server 14.1.1.0.0
org.owasp.antisamy/antisamy 0 - 1.6.7Maven
Published Apr 21, 2022
Tracked Since Feb 18, 2026