CVE-2019-13646
Description
Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Firefly III before 4.7.17.3 contains a reflected XSS vulnerability due to insufficient sanitization of user-supplied data in search queries.
Vulnerability
Analysis
CVE-2019-13646 describes a reflected cross-site scripting (XSS) vulnerability in Firefly III, an open-source personal finance manager. The vulnerability exists in versions prior to 4.7.17.3 and stems from a lack of proper filtration of user-supplied data within a search query parameter. When a user submits a search request, the application reflects the input back in the response without adequate encoding or sanitization, allowing an attacker to inject malicious scripts [1].
Exploitation
To exploit this vulnerability, an attacker must have the same access rights as the intended victim, meaning both the attacker and victim must be authenticated users of the Firefly III instance. The attacker can craft a malicious link containing a specially crafted search query that, when clicked by the victim, executes JavaScript in the context of the victim's session. This could be delivered via social engineering, such as a phishing email or a deceptive link on another site [1].
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the victim's browser within the Firefly III application's security context. This could lead to session hijacking, theft of authentication cookies, defacement of the page, or redirection to malicious sites. Since the vulnerability is reflected (non-persistent), the attacker must convince the user to interact with the crafted link to achieve execution [1].
Mitigation
The vulnerability was addressed in Firefly III version 4.7.17.3, released on July 16, 2019. The fix is reflected in commit f795cb07e1bb9ad3bd0dceeafbb0ece4ebe518d7, which introduced proper output encoding for search query parameters [3]. Users are strongly advised to upgrade to this version or later. As of the publication date, there is no evidence that this CVE has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
grumpydictator/firefly-iiiPackagist | < 4.7.17.3 | 4.7.17.3 |
Affected products
2- Firefly III/Firefly IIIdescription
Patches
11 file changed · +1 −1
resources/views/v1/search/index.twig+1 −1 modified@@ -31,7 +31,7 @@ </div> </form> <p> - {{ trans('firefly.search_for_query', {query: query})|raw}} + {{ trans('firefly.search_for_query', {query: query|escape})|raw}} </p> {% if modifiers|length > 0 %} <p>{{ trans('firefly.modifiers_applies_are') }}</p>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mrc2-h7q2-pp97ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-13646ghsaADVISORY
- github.com/firefly-iii/firefly-iii/commit/f795cb07e1bb9ad3bd0dceeafbb0ece4ebe518d7ghsaWEB
- github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aaghsax_refsource_MISCWEB
- github.com/firefly-iii/firefly-iii/issues/2339ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.