{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-38949", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T16:06:20.531Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T16:06:20.531Z"}, "descriptions": [{"lang": "en", "value": "Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/danpros/htmly"}, {"url": "https://youtu.be/3e-tzUMCox8"}, {"url": "https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38949/README.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code"}], "id": "CVE-2026-38949", "lastModified": "2026-04-28T20:19:13.567", "metrics": {}, "published": "2026-04-28T19:37:38.937", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38949/README.md"}, {"source": "cve@mitre.org", "url": "https://github.com/danpros/htmly"}, {"source": "cve@mitre.org", "url": "https://youtu.be/3e-tzUMCox8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-29T01:31:28.520611+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched version of HTMLy if one has been released by the vendor or community.", "Sanitize user input on the /add/content?type=image endpoint by removing disallowed tags or using a trusted library such as OWASP Java HTML Sanitizer.", "Implement a Content Security Policy that restricts inline scripts and eval usage to mitigate any exploitation."], "summary": {"action": "Assess", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is HTMLy, version 3.1.1. No other vendors or products were identified. Users of this specific version are directly impacted.", "description_and_impact": "A stored cross\u2011site scripting vulnerability exists in the content creation endpoint of HTMLy version 3.1.1. The application fails to sanitize user input, allowing attackers to inject arbitrary HTML or JavaScript. If exploited, malicious code will run in the browsers of users who view the affected content, potentially leading to session hijacking, defacement, or other malicious actions. This flaw represents a classic cross\u2011site scripting weakness.", "risk_and_exploitability": "The CVSS score is not disclosed, and the EPSS score is unavailable, so the formal severity cannot be computed. However, the flaw is exploitable by any user with access to the image content creation endpoint. Because injected code executes in the victim's browser, the impact is high if the content is publicly viewable. The vulnerability is not listed in CISA\u2019s KEV catalog, indicating no confirmed exploits as of the last update. Nonetheless, the lack of proper input validation presents a significant risk that should be mitigated."}}}}, "created": "2026-04-29T01:45:25.994979+00:00", "title": "Stored Cross\u2011Site Scripting in HTMLy Content Creation", "updated": "2026-04-29T01:45:25.994993+00:00", "vendors": [], "weaknesses": ["CWE-79"]}