CVE-2026-23768 - Vulnerability Details

lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://cve.naver.com/detail/cve-2026-23768.html
https://github.com/naver/lucy-xss-filter/pull/31

History

Fri, 16 Jan 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension.
Weaknesses		CWE-918
References		https://cve.naver.com/detail/cve-2026-23768.html https://github.com/naver/lucy-xss-filter/pull/31

MITRE

Status: PUBLISHED

Assigner: naver

Published: 2026-01-16T05:20:58.677Z

Updated: 2026-01-16T05:33:13.642Z

Reserved: 2026-01-16T05:06:27.869Z

Link: CVE-2026-23768

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-01-16T06:15:51.333

Modified: 2026-01-16T06:15:51.333

Link: CVE-2026-23768

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object