WS-2019-0172
Published:May 14, 2026
Updated:May 14, 2026
swagger-ui before 3.20.9 fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. that leads to Cross-Site Scripting
Affected Packages
swagger-ui (CDN_JS):
Affected version(s) >=1.0.12 <3.20.9Fix Suggestion:
Update to version 3.20.9swagger-ui (NPM):
Affected version(s) >=0.1.11 <3.20.9Fix Suggestion:
Update to version 3.20.9swagger-api/swagger-ui (PHP):
Affected version(s) =dev-fix/urlencoded-array-data <dev-fix/xml-oneOfFix Suggestion:
Update to version dev-fix/xml-oneOfwesthack/think-swagger (PHP):
Affected version(s) =1.1.0Fix Suggestion:
Update to version no_fixswagger-api/swagger-ui (PHP):
Affected version(s) =dev-docplan <dev-faceliftFix Suggestion:
Update to version dev-faceliftzhaojunlike/think-swagger (PHP):
Affected version(s) =dev-master <1.0.0Fix Suggestion:
Update to version 1.0.0swagger-api/swagger-ui (PHP):
Affected version(s) >=v3.0.8 <3.3.1Fix Suggestion:
Update to version 3.3.1dreamfactory/df-swagger-ui (PHP):
Affected version(s) >=dev-develop <0.2.0Fix Suggestion:
Update to version 0.2.0swagger-api/swagger-ui (PHP):
Affected version(s) =dev-bug/3983 <dev-issue-5148Fix Suggestion:
Update to version dev-issue-5148esandri/swagger-ui-big (PHP):
Affected version(s) =dev-shockey-patch-3 <v3.0.0Fix Suggestion:
Update to version v3.0.0esandri/swagger-ui-big (PHP):
Affected version(s) >=dev-shockey-patch-4 <=dev-bug/5075-urls-primaryNameFix Suggestion:
Update to version no_fixswagger-api/swagger-ui (PHP):
Affected version(s) >=v3.3.1 <dev-dependabot/npm_and_yarn/babel/runtime-corejs3-7.22.3Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/babel/runtime-corejs3-7.22.3dreamfactory/df-swagger-ui (PHP):
Affected version(s) >=v3.0.5 <3.3.1Fix Suggestion:
Update to version 3.3.1dreamfactory/df-swagger-ui (PHP):
Affected version(s) >=0.4.0 <v1.0Fix Suggestion:
Update to version v1.0swagger-api/swagger-ui (PHP):
Affected version(s) >=v3.0.5 <dev-dependabot/npm_and_yarn/dompurify-3.0.8Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/dompurify-3.0.8kevupton/auto-swagger-ui (PHP):
Affected version(s) =dev-master <v0.0.1Fix Suggestion:
Update to version v0.0.1swagger-api/swagger-ui (PHP):
Affected version(s) >=v3.8.0 <v/3.18.0Fix Suggestion:
Update to version v/3.18.0swagger-api/swagger-ui (PHP):
Affected version(s) >=v3.18.1 <v3.20.9Fix Suggestion:
Update to version v3.20.9swagger-api/swagger-ui (PHP):
Affected version(s) =dev-shockey-patch-9 <dev-dependabot/npm_and_yarn/mocha-9.0.2Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/mocha-9.0.2kevupton/auto-swagger-ui (PHP):
Affected version(s) >=v0.1.0 <=v0.1.3Fix Suggestion:
Update to version no_fixswagger-api/swagger-ui (PHP):
Affected version(s) =dev-feature/test-jump-to <dev-fix-null-value-parsingFix Suggestion:
Update to version dev-fix-null-value-parsingwesthack/think-swagger (PHP):
Affected version(s) =dev-master <1.0.0Fix Suggestion:
Update to version 1.0.0esandri/swagger-ui-big (PHP):
Affected version(s) >=dev-cbt-run-e2e <v2.0.0Fix Suggestion:
Update to version v2.0.0Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE