{"id":"CVE-2016-9681","details":"Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name.","modified":"2026-04-10T03:54:21.443465Z","published":"2016-12-25T17:59:00.137Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/95095"},{"type":"FIX","url":"https://github.com/s9y/Serendipity/commit/e2a665e13b7de82a71c9bbb77575d15131b722be"},{"type":"EVIDENCE","url":"https://smarterbitbybit.com/cve-2016-9681-serendipity-cms-xss-vulnerability-in-version-2-0-4/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/s9y/serendipity","events":[{"introduced":"0"},{"last_affected":"55d0cc21cb34ab50bb92ede65b07cc62c30008d6"},{"fixed":"e2a665e13b7de82a71c9bbb77575d15131b722be"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.0.4"}]}}],"versions":["2.0.0","2.0.1","2.0.2","2.0.4","2.1-beta1","2.1-beta2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9681.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}