{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39416", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T00:23:30.595Z", "datePublished": "2026-04-08T20:11:03.757Z", "dateUpdated": "2026-04-09T20:22:54.635Z"}, "containers": {"cna": {"title": "Stored XSS in modal item preview for long item content in AIL Framework", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Amber", "version": "4.0"}}], "references": [{"name": "https://github.com/ail-project/ail-framework/security/advisories/GHSA-fj6v-43r7-gcjm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ail-project/ail-framework/security/advisories/GHSA-fj6v-43r7-gcjm"}, {"name": "https://vulnerability.circl.lu/vuln/gcve-1-2026-0023", "tags": ["x_refsource_MISC"], "url": "https://vulnerability.circl.lu/vuln/gcve-1-2026-0023"}], "affected": [{"vendor": "ail-project", "product": "ail-framework", "versions": [{"version": "< 6.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:11:03.757Z"}, "descriptions": [{"lang": "en", "value": "AIL framework is an open-source platform to collect, crawl, process and analyse unstructured data. Prior to 6.8, a stored cross-site scripting (XSS) vulnerability was identified in the modal item preview functionality. When item content longer than 800 characters was processed, attacker-controlled content was returned without an explicit text/plain content type, allowing the browser to interpret the response as active HTML. This could result in execution of arbitrary JavaScript in the context of an authenticated user viewing a crafted item. This vulnerability is fixed in 6.8."}], "source": {"advisory": "GHSA-fj6v-43r7-gcjm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T20:22:39.491506Z", "id": "CVE-2026-39416", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:22:54.635Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:circl:ail_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "87166B95-2012-40B7-B318-145A7C5B8249", "versionEndIncluding": "6.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AIL framework is an open-source platform to collect, crawl, process and analyse unstructured data. Prior to 6.8, a stored cross-site scripting (XSS) vulnerability was identified in the modal item preview functionality. When item content longer than 800 characters was processed, attacker-controlled content was returned without an explicit text/plain content type, allowing the browser to interpret the response as active HTML. This could result in execution of arbitrary JavaScript in the context of an authenticated user viewing a crafted item. This vulnerability is fixed in 6.8."}], "id": "CVE-2026-39416", "lastModified": "2026-04-15T19:20:02.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T21:16:59.167", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ail-project/ail-framework/security/advisories/GHSA-fj6v-43r7-gcjm"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://vulnerability.circl.lu/vuln/gcve-1-2026-0023"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ail-framework", "source": "cna", "vendor": "ail-project"}, "product": "ail-framework", "vendor": "ail-project"}], "analysis": {"en": {"generated_at": "2026-04-08T21:23:56.353608+00:00", "value": {"mitigation_remediation": ["Upgrade to AIL Framework version 6.8 or later where the issue is fixed.", "Verify that the preview functionality no longer outputs unsanitized HTML for items exceeding 800 characters.", "Consider enforcing a content\u2011type header of text/plain for all preview responses or validating/limiting item content length in the application to prevent future occurrences."], "summary": {"action": "Apply Patch", "impact": "Stored XSS enabling arbitrary JavaScript execution in an authenticated user\u2019s browser"}, "threat_synthesis": {"affected_systems": "The issue affects AIL Framework prior to version 6.8. Users running earlier releases of the open\u2011source platform are at risk, as the bug resides in the core preview rendering logic of the project named ail-framework, maintained by ail\u2011project.", "description_and_impact": "A vulnerability was discovered in the AIL Framework\u2019s modal item preview feature that allows an attacker to embed malicious JavaScript in stored item content longer than 800 characters. Because the response was sent without a strict text/plain content\u2011type, the browser interprets it as active HTML, allowing the attacker to run arbitrary code within the context of any authenticated user who views the crafted item. The flaw is a classic stored cross\u2011site scripting weakness (CWE\u201179).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.5, indicating high severity, and is not listed in the CISA Known Exploited Vulnerabilities catalog. EPSS data is unavailable, so the current exploit probability cannot be quantified. An attacker would need to supply content over 800 characters that contains malicious scripting and have an authenticated user retrieve that content via the preview modal, a scenario that is feasible in a web application context. The scope of impact extends to data confidentiality and integrity for any authenticated user who views the compromised item."}}}}, "created": "2026-04-09T08:18:04.205485+00:00", "updated": "2026-04-09T08:27:26.919866+00:00", "vendors": ["ail-project", "ail-project$PRODUCT$ail-framework"]}