CVE-2026-23768 | THREATINT

Description

lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension.

PUBLISHED Reserved 2026-01-16 | Published 2026-01-16 | Updated 2026-01-16 | Assigner naver

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status

affected

7c1de6db76749ceb7b382493da29c4348853cf6b (git)

unaffected

Credits

ksw9722 / Kim Si Ung finder

References

cve.naver.com/detail/cve-2026-23768.html vendor-advisory

github.com/naver/lucy-xss-filter/pull/31 mitigation

cve.org (CVE-2026-23768)

nvd.nist.gov (CVE-2026-23768)

Download JSON