{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-25688","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2026-02-05T08:46:14.890Z","datePublished":"2026-06-09T07:32:23.869Z","dateUpdated":"2026-06-09T14:56:41.862Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache Answer","vendor":"Apache Software Foundation","versions":[{"lessThanOrEqual":"2.0.0","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","value":"Sho Odagiri"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer.</p><p>This issue affects Apache Answer: through 2.0.0.</p>AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed.<br><p>Users are recommended to upgrade to version 2.0.1, which fixes the issue.</p>"}],"value":"Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 2.0.0.\n\nAI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed.\nUsers are recommended to upgrade to version 2.0.1, which fixes the issue."}],"metrics":[{"other":{"content":{"text":"critical"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-87","description":"CWE-87 Improper Neutralization of Alternate XSS Syntax","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2026-06-09T07:32:23.869Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/x42joj43rqb38ms5q60f7bgq3qbo7t5q"}],"source":{"discovery":"EXTERNAL"},"title":"Apache Answer: XSS in AI Answer Rendering","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/06/09/7"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-06-09T09:07:29.704Z"}},{"metrics":[{"cvssV3_1":{"scope":"CHANGED","version":"3.1","baseScore":6.1,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","integrityImpact":"LOW","userInteraction":"REQUIRED","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"NONE","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-06-09T14:56:37.215499Z","id":"CVE-2026-25688","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-09T14:56:41.862Z"}}]}}