VDB
KO

PYSEC-2026-840

Loggerhead XSS via filename

Details

Cross-site scripting (XSS) vulnerability in `templatefunctions.py` in Loggerhead before 1.18.1 allows remote authenticated users to inject arbitrary web script or HTML via a filename, which is not properly handled in a revision view.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / loggerhead
Introduced in: 0 Fixed in: 1.18.1
Fix pip install --upgrade 'loggerhead>=1.18.1'

References