MEDIUM 6.1
PYSEC-2026-1402
GI-DocGen vulnerable to Reflected XSS via unescaped query strings
Details
A flaw was found in GI-DocGen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-11687 [ADVISORY]
- https://access.redhat.com/security/cve/CVE-2025-11687 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2403536 [WEB]
- https://github.com/GNOME/gi-docgen [PACKAGE]
- https://gitlab.gnome.org/GNOME/gi-docgen/-/commit/65d16b8ac178900602da540c8f5df4f52d5e8cf6 [WEB]
- https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228 [WEB]
- https://pypi.org/project/gi-docgen [PACKAGE]
- https://github.com/advisories/GHSA-6p6h-rqr6-62mv [ADVISORY]