CVE-2019-10904
Description
Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Roundup 1.6 suffers from reflected XSS due to improper handling of 404 errors, allowing attackers to inject arbitrary JavaScript via crafted URIs.
CVE-2019-10904 describes a reflected cross-site scripting (XSS) vulnerability in Roundup 1.6. The bug originates from improper handling of 404 errors in the files frontends/roundup.cgi and roundup/cgi/wsgi_handler.py. When a non-existent URL is requested, the path is reflected in the 404 error page without sanitization, enabling script injection [1].
An attacker can exploit this by crafting a URL containing a malicious payload, such as ``. If a victim clicks the link (or is redirected), the browser executes the payload in the context of the Roundup instance, leading to XSS [2]. No authentication is required; the attack is reflected and self-contained within the vulnerable page.
Successful exploitation allows an attacker to perform actions on behalf of the victim, steal cookies, or deface the site. The full impact depends on the application's trust level and data sensitivity [4].
The vulnerability was reported to the Roundup project and fixed in the repository (commit available) but no official release has been made as of the publication date. Users are advised to apply the patch manually or restrict access to vulnerable endpoints [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
roundupPyPI | < 2.0.0alpha0 | 2.0.0alpha0 |
Affected products
2- Range: <= 1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-926q-wxr6-3crqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10904ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/07/1ghsamailing-listx_refsource_MLISTWEB
- bugs.python.org/issue36391ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2019-201.yamlghsaWEB
- github.com/python/bugs.python.org/issues/34ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2019/04/msg00009.htmlghsamailing-listx_refsource_MLISTWEB
- pypi.org/project/roundup/2.0.0alpha0ghsaWEB
- www.openwall.com/lists/oss-security/2019/04/05/1ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.