Updated: 2026-01-19 04:04:21.295909
Description:
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 4.3 |
| CVSS Version 3.x | MEDIUM | 6.1 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Alpine Linux 3.22 | python | 3.6 | 6.1 | MEDIUM | Not Vulnerable | 2026-01-27 16:43:11 | ||
| Debian 10 | python | 3.6 | 6.1 | MEDIUM | Already Fixed | 2025-09-09 19:25:34 | ||
| Debian 10 | python | 2.7 | 6.1 | MEDIUM | Already Fixed | 2025-09-09 19:25:33 | ||
| Debian 11 | python | 2.7 | 6.1 | MEDIUM | Already Fixed | 2025-09-09 19:25:32 | ||
| Debian 11 | python | 3.6 | 6.1 | MEDIUM | Already Fixed | 2025-09-09 19:25:34 | ||
| Debian 12 | python | 3.7 | 6.1 | MEDIUM | Not Vulnerable | 2025-12-09 20:16:28 | ||
| Debian 12 | python | 3.6 | 6.1 | MEDIUM | Already Fixed | 2025-09-09 19:25:33 | ||
| Debian 12 | python | 2.7 | 6.1 | MEDIUM | Already Fixed | 2025-09-09 19:25:32 | ||
| Debian 13 | python | 3.6 | 6.1 | MEDIUM | Already Fixed | 2025-10-03 19:04:10 | ||
| Debian 13 | python | 2.7 | 6.1 | MEDIUM | Already Fixed | 2025-10-23 12:54:06 |