HIGHCVE-2026-39416Published 2026-04-08Modified 2026-04-09CNA GitHub_M

CVE-2026-39416: Stored XSS in modal item preview for long item content in AIL Framework

AIL framework is an open-source platform to collect, crawl, process and analyse unstructured data. Prior to 6.8, a stored cross-site scripting (XSS) vulnerability was identified in the modal item preview functionality. When item content longer than 800 characters was processed, attacker-controlled content was returned without an explicit text/plain content type, allowing the browser to interpret the response as active HTML. This could result in execution of arbitrary JavaScript in the context of an authenticated user viewing a crafted item. This vulnerability is fixed in 6.8.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

ail-project / ail-framework
< 6.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Amber

References

https://github.com/ail-project/ail-framework/security/advisories/GHSA-fj6v-43r7-gcjm
https://vulnerability.circl.lu/vuln/gcve-1-2026-0023

Metrics