CVE-2026-23768

Published: Jan 16, 2026Modified: Jan 23, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension.

Affected (1)

Products: Naver: Lucy Xss Filter

1 product

Lucy Xss Filter

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Naver Lucy Xss Filter	Before 2025-06-08

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://cve.naver.com/detail/cve-2026-23768.html

Source: cve@navercorp.com

Vendor Advisory

https://github.com/naver/lucy-xss-filter/pull/31

Source: cve@navercorp.com

ExploitPatch

Timeline

No history available yet.