-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from multiple instances where user-controlled input (e.g., 'template' parameter, page names, login fields) was passed to theme.add_msg without proper HTML escaping. This is confirmed by: 1) The Debian patch showing explicit escaping added to PageEditor.py's template handling, 2) Security advisories listing 10 affected components, 3) Commit diffs (e.g., e50b087c4572) adding wikiutil.escape() in these contexts. The pattern matches across all listed files - user input flows into message rendering without sanitization, making these functions clear XSS vectors.
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moin | pip | <= 1.7.3 | |
| moin | pip | >= 1.8.0, < 1.8.8 | 1.8.8 |
| moin | pip |
| >= 1.9.0, < 1.9.3 |
| 1.9.3 |
Ongoing coverage of React2Shell