QwikSec

Security Database

CVE

CWE

Training

CVE-2026-23768

Published: Jan 16, 2026

Modified: Jan 16, 2026

PUBLISHED

Description

lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension.

Vendor	Product	Versions
NAVER	lucy-xss-filter	unaffected `7c1de6db76749ceb7b382493da29c4348853cf6b`

Weaknesses (CWE)

References

https://cve.naver.com/detail/cve-2026-23768.html

vendor-advisory

https://github.com/naver/lucy-xss-filter/pull/31

mitigation

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.