{"id":"CVE-2022-34009","details":"Fossil 2.18 on Windows allows attackers to cause a denial of service (daemon crash) via an XSS payload in a ticket. This occurs because the ticket data is stored in a temporary file, and the product does not properly handle the absence of this file after Windows Defender has flagged it as malware.","modified":"2026-03-14T11:48:06.208639Z","published":"2022-07-28T00:15:08.640Z","references":[{"type":"ADVISORY","url":"https://fossil-scm.org/home/doc/trunk/www/changes.wiki"},{"type":"EVIDENCE","url":"https://gainsec.com/2022/07/27/cve-2022-34009/"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.18"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-34009.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}