CVE-2026-25688

6.1 MEDIUM

Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer

Published: 2026-06-09 · Last updated: 2026-06-10

Severity and scoring

CVSS: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-87

Affected products

Vendor	Product
apache	answer

Description

Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are recommended to upgrade to version 2.0.1, which fixes the issue.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-25688
[Vendor advisory]https://lists.apache.org/thread/x42joj43rqb38ms5q60f7bgq3qbo7t5q
[Other]http://www.openwall.com/lists/oss-security/2026/06/09/7

Related CVEs

Same vendor

CVE-2026-34905 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-34031 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-33582 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-25699 — Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer (6.1 MEDIUM)
CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)

Same CWE

CVE-2026-46492 — md-fileserver allows for local viewing of markdown files in a browser (7.2 HIGH)
CVE-2026-45314 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (6.1 MEDIUM)
CVE-2026-42458 — Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-com...