CVE-2023-26119

Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.

Published: Apr 3, 2023
Updated: May 9, 2024
CVE: CVE-2023-26119
GHSA: GHSA-3xrr-7m6p-p7xh
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-74
CWE-94

Affected Software
References

Software	From	Fixed in
net.sourceforge.htmlunit / htmlunit	-	3.0.0
htmlunit / htmlunit	-	3.0.0

https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b
https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500
https://siebene.github.io/2022/12/30/HtmlUnit-RCE
https://siebene.github.io/2022/12/30/HtmlUnit-RCE/

Vulnerability Database

289,697

CVE-2023-26119