VulnerableCode Vulnerability Details - VCID-5918-w4jq-rka8

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-5918-w4jq-rka8

Essentials
Severities (9)
References (7)
Severity details (6)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-5918-w4jq-rka8
Aliases	CVE-2016-1000226 GHSA-7f59-x49p-v8mq GMS-2020-783
Summary	XSS in Consumes/Produces Parameter Swagger is a standardized library for documenting API endpoints and their parameters. Swagger uses a JSON document to organize API endpoint parameter data. Swagger-UI version 2.1.4 contains a cross site scripting (XSS) vulnerability in the `consumes` and `produces` parameters of the swagger json document for a given API. A maliciously crafted swagger JSON doc can be loaded via the URL query-string parameter `url`. To exploit the vulnerability, an attacker would convince a user to visit a malicious url crafted in the following format: ``` http://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json ```` This issue is being disclosed before a public patched release is available due to the issue being made public in a Github issue.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

System	Score	Found at
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-7f59-x49p-v8mq
cvssv3	9.1	https://github.com/nodejs/security-wg/blob/main/vuln/npm/123.json
generic_textual	CRITICAL	https://github.com/swagger-api/swagger-ui
cvssv3	9.1	https://github.com/swagger-api/swagger-ui/issues/1866
generic_textual	CRITICAL	https://github.com/swagger-api/swagger-ui/issues/1866
cvssv3	9.1	https://github.com/swagger-api/swagger-ui/pull/1867
generic_textual	CRITICAL	https://github.com/swagger-api/swagger-ui/pull/1867
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2016-1000226
generic_textual	CRITICAL	https://www.npmjs.com/advisories/123

Reference id	Reference type	URL
		https://github.com/swagger-api/swagger-ui
		https://github.com/swagger-api/swagger-ui/issues/1866
		https://github.com/swagger-api/swagger-ui/pull/1867
		https://www.npmjs.com/advisories/123
123		https://github.com/nodejs/security-wg/blob/main/vuln/npm/123.json
CVE-2016-1000226		https://nvd.nist.gov/vuln/detail/CVE-2016-1000226
GHSA-7f59-x49p-v8mq		https://github.com/advisories/GHSA-7f59-x49p-v8mq

No exploits are available.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T03:45:03.104789+00:00	Npm Importer	Import	https://github.com/nodejs/security-wg/blob/main/vuln/npm/123.json	38.6.0