GHSA-xrf4-39fm-j5f2MediumCVSS 6.1

Fava time and filter parameters vulnerable to reflected Cross-site Scripting

Published
July 26, 2022
Last Modified
May 19, 2026

🔗 CVE IDs covered (1)

📋 Description

The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected cross-site scripting due to the lack of escaping of error messages which contained the parameters in verbatim.

🎯 Affected products1

  • pip/fava:>= 0, < 1.22

🔗 References (6)