-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from the plugin header parsing logic in yourls_get_plugin_data() which directly assigned user-controlled input (plugin metadata headers) to display values without HTML escaping. The fix in commit 04495e8 explicitly adds yourls_esc_html() sanitization to the header values, confirming this was the vulnerable code path. The function's role in processing plugin metadata makes it the clear injection point for stored XSS payloads.
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| yourls/yourls | composer | >= 1.5, < 1.8 | 1.8 |