GI-DocGen, Reflected XSS, CVE-2026-????? (Moderate)

Listen to this Post

The vulnerability is a classic reflected DOM-based Cross-Site Scripting (XSS) in the GI-DocGen documentation tool. It occurs because user input from the URL query string (specifically the `q` parameter used for search) is not properly sanitized or escaped before being written into the live Document Object Model (DOM). When a victim visits a specially crafted URL, the malicious JavaScript payload embedded in the `q` parameter is extracted and executed by the victim’s browser in the context of the GI-DocGen application domain. This allows an attacker to steal session cookies, redirect the user, or perform actions on their behalf, all without needing to compromise the server itself, as the flawed JavaScript logic resides in the client-side code.
Platform: GI-DocGen Documentation Tool
Version: Versions prior to fix
Vulnerability: Reflected DOM XSS
Severity: Moderate
Date: 2026-01-26

Prediction: Patch by 2026-02-09

What Undercode Say:

curl -s “http://target/docs/?q=” | grep -i “q=”

python3 -c “import urllib.parse; print(urllib.parse.quote(‘‘))”

How Exploit:

http://target/docs/?q=”>

Protection from this CVE

Input sanitization and escaping.

Implement strict Content Security Policy.

Update to patched version.

Impact:

Session hijacking and theft.

Client-side defacement or redirects.

Arbitrary client-side code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top