CVE-2018-1000559
Description
qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
qutebrowser v0.11.0–v1.3.2 has a stored XSS in the history page, allowing theft of browsing history via a crafted attribute.
## Vulnerability qutebrowser versions from v0.11.0 to v1.3.2 (inclusive) contain a cross-site scripting (XSS) vulnerability in the :history command and the qute://history page. The bug occurs because the browser does not sanitize the ` attribute of a visited page when it is stored in the browsing history. When the victim later opens the qute://history` page, the unsanitized title is rendered, allowing injection of arbitrary JavaScript [1].
Exploitation
The attacker must craft a malicious page with a specially crafted ` attribute containing JavaScript code. The victim must first visit this malicious page (so the title is stored in the browsing history), and then open the qute://history site via the :history` command. No authentication or special privileges are required beyond normal web browsing [1].
Impact
If successful, the injected JavaScript executes in the context of the qute://history page. This permits the attacker to steal the victim's browsing history, which is a disclosure of sensitive information [1]. There is no indication of privilege escalation or arbitrary code execution beyond the XSS scope.
Mitigation
The vulnerability is fixed in qutebrowser v1.3.3 (commit 4c9360237f186681b1e3f2a0f30c45161cf405c7, released 2018-06-26) and v1.4.0 (commit 5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later that week). Users should update to at least v1.3.3. No workaround is documented; the vendor recommends upgrading [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
qutebrowserPyPI | >= 0.11.0, < 1.3.3 | 1.3.3 |
Affected products
2- ghsa-coords2 versions
>= 0.11.0, < 1.3.3+ 1 more
- (no CPE)range: >= 0.11.0, < 1.3.3
- (no CPE)range: < 2.3.1-2.1
Patches
24c9360237f18Fix XSS issue on qute://history
3 files changed · +19 −2
qutebrowser/browser/qutescheme.py+4 −2 modified@@ -24,6 +24,7 @@ _HANDLERS: The handlers registered via decorators. """ +import html import json import os import time @@ -241,8 +242,9 @@ def history_data(start_time, offset=None): end_time = start_time - 24*60*60 entries = hist.entries_between(end_time, start_time) - return [{"url": e.url, "title": e.title or e.url, "time": e.atime} - for e in entries] + return [{"url": html.escape(e.url), + "title": html.escape(e.title) or html.escape(e.url), + "time": e.atime} for e in entries] @add_handler('history')
tests/end2end/data/issue4011.html+10 −0 added@@ -0,0 +1,10 @@ +<!DOCTYPE html> +<html> + <head> + <meta charset="utf-8"> + <title><img src="x" onerror="console.log('XSS')">foo</title> + </head> + <body> + foo + </body> +</html>
tests/end2end/features/history.feature+5 −0 modified@@ -111,3 +111,8 @@ Feature: Page history And I wait until qute://history is loaded Then the page should contain the plaintext "3.txt" Then the page should contain the plaintext "4.txt" + + Scenario: XSS in :history + When I open data/issue4011.html + And I open qute://history + Then the javascript message "XSS" should not be logged
5a7869f2feaaFix XSS issue on qute://history
3 files changed · +19 −2
qutebrowser/browser/qutescheme.py+4 −2 modified@@ -24,6 +24,7 @@ _HANDLERS: The handlers registered via decorators. """ +import html import json import os import time @@ -241,8 +242,9 @@ def history_data(start_time, offset=None): end_time = start_time - 24*60*60 entries = hist.entries_between(end_time, start_time) - return [{"url": e.url, "title": e.title or e.url, "time": e.atime} - for e in entries] + return [{"url": html.escape(e.url), + "title": html.escape(e.title) or html.escape(e.url), + "time": e.atime} for e in entries] @add_handler('history')
tests/end2end/data/issue4011.html+10 −0 added@@ -0,0 +1,10 @@ +<!DOCTYPE html> +<html> + <head> + <meta charset="utf-8"> + <title><img src="x" onerror="console.log('XSS')">foo</title> + </head> + <body> + foo + </body> +</html>
tests/end2end/features/history.feature+5 −0 modified@@ -112,3 +112,8 @@ Feature: Page history And I wait until qute://history is loaded Then the page should contain the plaintext "3.txt" Then the page should contain the plaintext "4.txt" + + Scenario: XSS in :history + When I open data/issue4011.html + And I open qute://history + Then the javascript message "XSS" should not be logged
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-m4fw-77v7-924mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000559ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/qutebrowser/PYSEC-2018-26.yamlghsaWEB
- github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7ghsax_refsource_MISCWEB
- github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9fghsax_refsource_MISCWEB
- github.com/qutebrowser/qutebrowser/issues/4011ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.