{"id":"CVE-2023-26042","summary":"HTML/XSS injection possibilities in Part-DB ","details":"Part-DB is an open source inventory management system for your electronic components. User input was found not being properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. The Content-Security-Policy forbids inline and external scripts so it is not possible to execute JavaScript code, unless in combination with other vulnerabilities. There are no workarounds, please upgrade to Pat-DB 1.0.2 or later.","aliases":["GHSA-9pmh-gmxx-rg2x"],"modified":"2026-04-02T08:51:15.978353Z","published":"2023-02-27T14:41:24.145Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26042.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26042.json"},{"type":"ADVISORY","url":"https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2x"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26042"},{"type":"FIX","url":"https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e00d7347099"},{"type":"FIX","url":"https://github.com/Part-DB/Part-DB-server/pull/227"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/part-db/part-db-server","events":[{"introduced":"e47b5090c71766fff47cc6b365e0b9fd70937451"},{"fixed":"f20da0f0493e7b0b9e7c460d9d1c2ca48d9e9a08"}]}],"versions":["v1.0.0","v1.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26042.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}