CVE-2026-43892

HIGH 8.8

AntSword: Incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16.

CWE	CWE-79 CWE-94 CWE-1188
Vendor	antswordproject
Product	antsword
Published	May 12, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for antswordproject antsword

Be the first to know when new high vulnerabilities affecting antswordproject antsword are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

AntSwordProject / antSword

< 2.1.16

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/AntSwordProject/antSword/security/advisories/GHSA-c63g-p4cp-r45x